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Abstract 


This  thesis  describes  the  design  of  a  meta- logical  framework  that  supports  the  representation 
and  verification  of  deductive  systems,  its  implementation  as  an  automated  theorem  prover,  and 
experimental  results  related  to  the  areas  of  programming  languages,  type  theory,  and  logics. 
Design:  The  meta-logical  framework  extends  the  logical  framework  LF  [HHP93]  by  a  meta-logic 
Af  2"  ■  This  design  is  novel  and  unique  since  it  allows  higher-order  encodings  of  deductive  systems 
and  induction  principles  to  coexist.  On  the  one  hand,  higher-order  representation  techniques 
lead  to  concise  and  direct  encodings  of  programming  languages  and  logic  calculi.  Inductive 
definitions  on  the  other  hand  allow  the  formalization  of  properties  about  deductive  systems, 
such  as  the  proof  that  an  operational  semantics  preserves  types  or  the  proof  that  a  logic  is 
consistent.  M J  is  a  proof  calculus  whose  proof  terms  are  recursive  functions  that  may  be 
defined  by  cases  and  range  over  dependent  higher-order  types.  The  soundness  of  follows 
from  a  realizability  interpretation  of  proof  terms  as  total  recursive  functions. 

Implementation:  A  proof  search  algorithm  for  proof  terms  in  M 2  is  implemented  in  the  meta¬ 
theorem  prover  that  is  part  of  the  Twelf  system  [PS99b].  Its  takes  full  advantage  of  higher-order 
encodings  while  using  inductive  reasoning. 

Experiments :  Twelf  has  been  used  for  many  experiments.  Among  others,  it  proved  automatically 
the  Church-Rosser  theorem  for  the  simply-typed  A-calculus  and  the  cut-elimination  theorem  for 
intuitionistic  first-order  logic.  In  programming  languages,  it  proved  various  type  preservation 
theorems  for  different  operational  semantics  and  compiler  correctness  theorems.  In  logics,  it  was 
able  to  derive  the  equivalence  of  various  logic  calculi,  such  as  the  natural  deduction  calculus,  the 
sequent  calculus,  and  the  Hilbert  calculus.  Twelf  also  proved  that  Cartesian  closed  categories 
can  be  embedded  into  the  simply-typed  A-calculus.  In  the  special  domains  of  programming 
languages,  type  theory,  and  logics,  Twelf  s  reasoning  power  far  exceeds  that  of  any  other  theorem 
prover. 
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Chapter  1 

Introduction 


We  can  look  at  the  current  field  of  problem  solving  by  computers 
as  a  series  of  ideas  about  how  to  present  a  problem.  If  a  problem 
can  be  cast  into  one  of  these  representations  in  a  natural  way, 
then  it  is  possible  to  manipulate  it  and  stand  some  chance  of 
solving  it.  [Allen  Newell] 


It  is  common  knowledge  that  it  is  very  difficult  to  design  software  systems  that  work  flawlessly 
and  reliably.  Most  software  products  contain  defects,  some  of  them  are  harmless  others  might  be 
potentially  harmful.  Prom  experiences  in  programming  language  research  we  have  learned  that 
many  software  defects  can  be  avoided  by  using  appropriate  programming  languages.  For  exam¬ 
ple,  strongly  typed  languages  like  Standard  ML  of  New  Jersey  [MTHM97],  or  Haskell  [Tho99] 
guarantee  by  design  that  a  program  can  never  cause  a  segmentation  fault  and  crash. 

Also  Java  [LY96]  is  designed  with  a  strong  type  system.  Following  from  properties  of  the 
Java  language,  the  execution  of  a  Java  program  theoretically  never  crashes.  In  fact,  the  Java 
bytecode  verifier  that  is  part  of  the  Java  distribution  statically  examines  byte  code  for  memory 
and  type  violations  and  rejects  suspicious  bytecode.  But  can  we  trust  the  byte  code  verifier? 
Certainly  not,  since  its  semantics  is  specified  only  informally  and  in  plain  English,  which  renders 
convincing  formal  proofs  of  any  safety  guarantees  impossible. 

Consequently,  a  rigorous  formalization  of  the  programming  language  and  its  semantics  is 
necessary  in  order  to  reason  about  it  and  to  convince  others  about  the  soundness  of  a  design. 
A  sound  design  of  ML  for  example  guarantees  that  the  execution  of  a  program  of  given  type 
never  returns  a  result  that  is  of  another  type.  It  should  also  guarantee  that  the  algorithm  that 
computes  the  type  of  a  program  —  the  type-inference  algorithm  —  always  terminates  and  always 
return  the  correct  results:  the  principle  type  if  it  exists  or  failure  otherwise. 

Therefore,  in  order  to  reason  about  programming  languages  we  must  rely  on  rigorous  formal¬ 
izations  of  their  syntax  operational  semantics.  Formulations  of  this  kind  have  been  developed 
for  example  for  ML  [MTHM97,  HS97],  and  for  subsets  of  Java  [SA98,  Nv098]  but  rigorous 
arguments  about  these  formalizations  are  very  difficult  to  do.  Answers  to  questions  such  as  “Is 
Java  type  safe?”  or  “Is  ML  type-checking  decidable?”  are  tedious  arguments,  and  they  must 
consider  typically  so  many  cases  that  they  are  not  easily  verifiable  by  humans.  This  thesis  is 
about  tools  to  represent  and  reason  about  programming  languages. 

Another  motivating  example  comes  from  the  area  of  authentication  protocol  design.  Using 
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the  Needham- Schroeder  protocol  [NS78]  two  corresponding  parties  can  authenticate,  but  unfor¬ 
tunately  the  protocol  is  flawed.  Lowe  [Low96]  has  shown  that  it  can  be  attacked  by  an  intruder 
making  his  victim  believe  that  he  is  somebody  else.  Is  it  possible  to  catch  design  flaws  like 
this  during  the  design  process?  It  is,  by  using  techniques  such  as  model  checking  [MCJ97]  or 
inductive  theorem  proving  [Pau98]. 

A  few  decades  ago  the  importance  of  automated  reasoning  has  led  researchers  to  develop 
systems  that  provide  formal  support  for  everyday  tasks  of  mathematicians  programming  lan¬ 
guage  designers.  The  first  major  breakthrough,  for  example,  was  possibly  a  computer  assistant 
proof  of  the  four  color  theorem  [AH77a,  AH77b]:  Every  planar  graph  is  colorable  by  four  colors 
in  such  a  way  that  regions  sharing  a  common  boundary  do  not  share  the  same  color. 

Historically  speaking,  one  of  the  first  general  purpose  theorem  provers  including  induction 
is  Nqthm  system  [BM79,  BM88]  that  has  been  used  to  prove  a  tremendous  variety  of  different 
results  many  directly  relevant  to  programming  language  research.  Shankar  [Sha94],  for  example, 
has  used  Nqthm  to  check  a  proof  of  the  Church-Rosser  theorem  for  the  untyped  A-calculus  holds, 
and  he  has  also  verified  Godel’s  incompleteness  theorem.  Another  example  goes  back  to  Kuncn 
who  formalized  the  proof  Ramsey’s  theorem  [Kun95]  in  Nqthm. 

Following  the  lead  of  Nqthm,  many  other  theorem  provers  have  evolved  based  on  different 
logics  and  different  automated  deduction  algorithms  with  different  strengths  and  weaknesses. 
Otter  [McC94]  for  example  has  been  used  to  show  that  all  Robbins  algebras  are  Boolean  [MeC97] 
as  conjectured  in  1933. 

First-order  automated  theorem  provers  could  be  applicable  to  our  domain  of  reasoning  about 
programming  languages.  However,  they  are  not  appropriate  for  representing  programming  lan¬ 
guages  such  as  ML  or  Java  since  they  do  not  provide  inductive  definitions.  But  there  are  others: 
INKA  [HS9C]  for  example  is  a  theorem  prover  that  can  handle  induction  and  so  are  many  proof 
assistants  that  are  based  on  type  theory,  such  as  for  example  Isabelle  [Pau94],  Coq  [DFH+93], 
NuPRL  [C+86],  and  Lego  [LP92]. 

Isabelle  is  a  very  popular  proof  assistant  and  has  been  used,  for  example,  to  reason  about 
programming  languages  such  as  Milner’s  type  inference  algorithm  [NN99]  and  the  operational 
semantics  of  a  simple  programming  language  [AC99].  It  has  also  been  used  to  reason  about 
program  refinement  languages  bases  on  an  embedding  of  weakest  preconditions  [Sta99]. 

Similar  experiments  in  the  area  of  programming  languages  have  been  conducted  with  the  Coq 
system.  In  functional  programming  the  type  inference  algorithm  of  ML  has  been  verified  in  Coq 
[CD99],  and  in  logic  programming  the  algorithm  of  SLD  resolution  [Jau99].  These  experiments 
are  not  small,  on  the  contrary  in  the  case  of  the  formalization  of  SLD  resolution,  approximately 
600  technical  lemmas  were  necessary  in  the  entire  development. 

The  Ensemble  project  [KHH98]  is  concerned  with  the  development  of  reliable  and  efficient 
group  communication  systems.  In  order  to  execute  and  verify  program  transformations  they 
have  linked  it  to  the  NuPRL  system. 

For  the  purpose  of  machine  developed  and  machine  checked  domain  theory  and  program 
verification,  Reus  has  implemented  synthetic  domain  theory  [Reu99]  a  constructive  variant  of 
domain  theory  in  Lego.  Other  examples  conducted  with  Lego  include  the  formalization  of  type 
theories  and  A-calculi  [MP99],  and  a  formalization  of  the  strong  normalization  proof  for  system  F 
[Alt93]. 

The  recurring  pattern  in  all  these  experiments  is  the  following.  The  programming  language 
that  should  be  proven  sound  must  be  encoded  into  the  language  the  theorem  prover  or  the  prover 
assistant  provides.  For  the  theorem  provers  mentioned  above  this  language  is  either  a  quantifier 
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free,  a  first-order,  or  a  higher-order  logic.  Generally,  the  weaker  the  language,  the  more  indirect 
the  encoding.  On  the  one  hand,  inductive  definitions  and  higher-order  features  allow  very  direct 
encodings  of  programming  languages.  Constructs  such  as  expressions,  types,  and  inference  rules 
are  typically  inductively  defined  and  higher-order  representation  techniques  [HHP87,  PE88] 
allow  direct  encodings  of  variables  and  substitution  concepts  that  are  part  of  any  programming 
languages. 

Thus  in  general,  the  expressiveness  of  a  representation  language  is  crucial  for  the  attempt  to 
reason  formally  about  programming  languages.  Reasoning  about  programming  languages  can 
only  be  as  effective  as  the  encoding  is  —  or  to  put  the  other  way  around:  the  more  direct  the 
encoding  is,  the  easier  it  is  to  reason  about  them. 

Unfortunately,  higher-order  encodings  and  inductive  definitions  are  incompatible  since 
higher-order  encodings  violate  the  positivity  condition  associated  with  inductive  definitions 
[DPS97].  Various  attempts  have  been  made  to  preserve  the  advantages  of  higher-order  rep¬ 
resentation  techniques  in  a  setting  with  strong  induction  principles  [DH94,  DFH95],  but  none  of 
these  is  entirely  satisfactory  from  a  practical  or  theoretical  point  of  view.  A  first  clean  approach 
towards  a  solution  of  this  problem  was  the  modal  A-calculus  [DPS97]  that  has  been  extended  to 
dependent  types  [DL98].  A  more  recent  proposal  is  due  to  Gabbay  and  Pitts  [GP99],  and  Hof¬ 
mann  has  given  a  categorical  semantics  for  relating  higher-order  abstract  syntax  and  induction 
principles  [Hof99]. 

In  this  thesis,  we  describe  a  tool  that  provides  higher-order  representation  techniques  and 
inductive  definitions.  It  is  a  meta-logical  framework  and  it  is  implemented  in  the  Twelf  sys¬ 
tem  [PS99b]  and  based  on  the  logical  framework  LF  [HHP93].  We  discuss  its  design,  its  im¬ 
plementation,  and  demonstrate  how  to  apply  it  to  problems  from  the  field  of  programming 
languages  and  logics.  The  Twelf  system  provides  a  special  purpose  theorem  prover  that  draws 
its  deductive  power  from  the  elegance  of  encoding. 


Design  of  the  Meta-Logical  Framework 

The  design  of  a  meta-logical  framework  can  be  best  motivated  by  an  informal  example.  Con¬ 
sider  a  developer  who  engineers  safety  architectures  for  mobile  code  such  as  proof  carrying 
code  [Nec97]  or  typed  assembly  language  [MWCG99].  The  basic  idea  underlying  safety  archi¬ 
tectures  is  that  a  “code  producer”  augments  mobile  code  with  explicit  safety  proof  objects  that 
adhere  to  an  a-priori  specified  safety  policy.  The  code  and  the  safety  proof  are  then  transmitted 
together  through  the  network  to  a  “code  consumer”.  Once  received,  the  code  consumer  ex¬ 
amines  the  code  and  extracts  independently  verification  conditions  which  it  then  verifies  using 
the  safety  proof.  If  the  proof  checker  signals  success,  the  code  can  be  trusted  with  respect  to 
the  safety  policy,  and  the  code  consumer  can  execute  it  safely.  Among  the  many  challenges  in 
devising  a  safety  architecture  is  the  design  of  a  sound  safety  proof  languages  such  as  for  example 
a  logic  or  a  type  system. 

Without  any  machine  support  the  developer  has  to  engineer  the  safety  proof  language  by 
hand  and  verify  its  soundness  using  only  pencil  and  paper.  In  general,  this  is  a  tedious,  difficult, 
intricate,  and  error  prone  process.  Slight  changes  in  the  design  of  the  safety  proof  language 
can  render  months  of  hard  work  useless,  leaving  the  developer  without  any  other  option  but 
to  revisit  all  the  proofs  again.  With  the  technology  presented  in  this  thesis,  the  developer  can 
formalize  the  safety  proof  languages  such  as  logics  and  type  systems,  and  reason  about  them 
automatically  and  effectively.  In  many  of  the  examples  discussed  in  this  thesis,  the  system  was 
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able  to  check  quickly  if  changes  or  extensions  to  a  logic  invalidate  any  of  the  desired  properties. 

Our  meta-logical  framework  uses  as  representation  language  the  logical  framework 
LF  [HHP93].  It  is  a  higher-order  type  theory  which  provides  dependent  types  and  higher- 
order  representation  techniques.  Judgments  are  formally  represented  as  types  and  derivations 
as  objects.  Logics  such  as  the  sequent  calculi  and  the  natural  deduction  calculi  [Gen35]  can  be 
directly  encoded  in  the  LF,  taking  full  advantage  of  higher-order  constructions.  They  directly 
support  common  concepts  such  as  variable  binding,  capture-avoiding  substitution,  weakening, 
contraction,  and  exchange.  For  classical  and  intuitionistic  logic,  the  representations  are  adequate 
which  means  that  objects  in  the  type  theory  are  in  one-to-one  correspondence  with  derivations 
in  a  logic. 

There  are  other  logical  frameworks,  which  are  based  on  inductive  definitions.  To  a  large 
extent  they  are  implemented  in  the  aforementioned  proof  assistants  such  as  Coq.  Isabelle,  Lego, 
or  Nuprl.  Inductive  definitions  rely  on  the  positivity  condition  that  guarantees  the  set  of  con¬ 
structors  for  each  datatype  to  be  fixed.  From  a  modal  theoretic  point  of  view,  we  say  that  the 
world  in  which  a  datatype  is  defined  is  closed,  because  datatypes  must  not  be  extended  by  new 
constructors.  Synonymously,  we  say  that  a  closed,  world  assumption  is  precondition  for  standard 
inductive  definitions. 

In  general,  higher-order  representation  techniques  violate  the  positivity  condition,  in  partic¬ 
ular  deductive  systems,  which  are  of  particular  interest  to  this  work:  encodings  of  programming 
languages  and  logics,  for  example,  possess  very  elegant  higher-order  encodings  that  cannot  be 
expressed  inductively.  On  the  other  hand,  without  higher-order  representations,  the  developer  is 
obliged  to  declare  the  variables,  substitutions,  and  contexts  and  to  reason  about  their  respective 
properties,  such  as,  for  example,  weakening,  contraction,  exchange,  and  substitution  lemmas. 

Nevertheless,  one  can  reason  about  any  object  in  LF  (if  functional  or  not  functional)  by 
induction.  The  proof  of  adequacy  of  any  representation,  for  example,  is  based  on  an  inductive 
argument  over  the  structure  of  objects  in  LF.  It  is  sound,  because  any  object  —  including 
functional  objects  —  possesses  a  canonical  form,  and  canonical  forms  in  LF  are  inductively 
defined  [HP99].  Intuitively,  the  conversion  of  an  object  to  a  canonical  form  simply  corresponds 
to  the  execution  of  substitution  operations. 

Intrinsically,  inductive  definitions  are  closely  related  to  function  definition  by  cases.  Any 
proof  of  a  property  using  standard  induction  principles  can  be  realized  as  a  total  function  that 
expects  input  arguments  in  place  of  universal  quantifiers  and  that  computes  witness  objects  in 
place  of  existential  quantifiers.  These  functions  are  defined  by  cases,  and  totality  is  established 
as  an  external  property  of  the  function.  Termination  follows  from  comparing  argument  vectors 
of  recursive  recalls  to  the  argument  vector  the  function  was  originally  called  with;  they  must 
decrease  according  to  a  well-founded  (terminating)  ordering.  And  coverage  relies  on  the  closed 
world  assumptions;  in  every  situation  there  are  only  finitely  many  cases  to  consider.  Functions 
defined  by  cases  should  not  be  confused  with  the  notion  of  function  provided  by  the  logical 
framework  LF,  which  by  construction  cannot  be  defined  by  cases  since  they  typically  do  not 
possess  canonical  forms  in  LF  [DPS97]. 

Therefore  in  this  thesis,  we  propose  to  use  two  inherently  different,  function  spaces.  The  first 
function  space  is  parametric  and  it  serves  the  purpose  of  adequate  higher-order  representation 
of  deductive  systems  with  implicit  treatment  of  variables  and  capture  avoiding  substitutions. 
For  the  purpose  of  this  work  we  have  chosen  the  function  space  provided  by  LF  since  it  satisfies 
all  requirements  and  supports  adequate  encodings.  But  in  general,  it  is  conceivable  to  extend 
this  work  to  other  parametric  function  spaces  defined  in  other  logical  frameworks,  such  as  for 
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example  the  linear  logical  framework  [CP96],  or  the  calculus  of  constructions  [CH88]. 

Second,  we  propose  a  recursive  function  space  that  encodes  proofs  or  properties  about  deduc¬ 
tive  systems,  such  as  the  soundness  of  a  logic,  or  the  Church- Rosser  property  of  the  simply-typed 
A-calculus.  These  functions  range  over  LF  objects  of  arbitrary  (possibly  functional)  type  and 
can  be  defined  by  cases  and  recursion.  The  corresponding  type  theory,  which  is  developed  and 
presented  in  this  thesis,  is  called  Afjj".  When  restricted  to  total  functions,  the  type  theory  M 2 
can  be  viewed  as  a  meta-logic.  Theorems  are  encoded  as  types  in  Af^,  and  proofs  as  total 
functions  called  realizers. 

The  argument  that  a  natural  deduction  representation  of  first-order  intuitionistic  logic  is 
equivalent  to  a  sequent  formulation  makes  use  of  both  function  spaces.  The  parametric  function 
space  is  used  to  represent  the  either  of  the  two  calculi  whereas  the  recursive  function  space  is 
used  to  express  that  any  derivation  in  one  calculus  can  be  converted  into  a  derivation  in  the 
other.  Thus,  from  a  programming  point  of  view,  can  be  seen  as  the  type  system  of  a 
functional  programming  language  that  uses  LF  as  language  to  express  datatypes. 

If  deductive  systems  are  encoded  via  higher-order  functions,  Af^-proof  terms  may  need  to 
traverse  A-binders  in  order  to  make  a  recursive  call  and  each  traversal  of  a  A-binder  corresponds 
to  the  introduction  of  a  new  parameter.  Intuitively,  these  parameters  can  be  viewed  as  dynamic 
extensions  of  the  set  of  constructors  of  its  type.  Consequently,  during  runtime  the  set  of  con¬ 
structors  of  any  type  is  not  fixed  any  more,  which  invalidates  the  closed  world  assumption.  In 
contrast,  in  our  setting,  inductive  definitions  are  open-ended  because  recursive  functions  may 
dynamically  introduce  new  parameters  as  constructors.  Therefore,  inductive  definitions  are  not 
adequate  for  higher-order  encodings. 

On  the  other  hand,  the  open  world  assumption  that  allows  open-ended  definitions  of 
datatypes  does  not  present  an  appropriate  foundation  for  the  calculus  of  total  functions  we 
aim  to  design  in  this  thesis.  On  the  contrary!  Under  the  open  world  assumption  it  is  impossible 
to  predict  the  canonical  form  of  any  LF-object.  Therefore,  the  open  world  assumption  cannot 
give  any  guarantees  if  a  recursive  function  covers  all  cases!  From  a  modal  point  of  view,  it 
is  possible  to  argue  that  a  recursive  function  covers  all  cases  in  some  given  world  —  but  it  is 
impossible  to  argue  that  a  recursive  function  covers  all  cases  in  any  given  world. 

Af^’s  design  is  based  on  the  following  observation:  In  general,  during  runtime,  recursive 
functions  follow  always  a  few,  but  finitely  many  different  patterns  when  traversing  A-binders 
before  executing  a  recursive  call.  Therefore,  datatypes  are  always  extended  in  a  regular  and  pre¬ 
dictable  fashion,  in  contrast  to  arbitrary  extensions  associated  with  the  open  world  assumption. 
It  is  this  regularity  condition  that  allows  us  to  judge  if  a  recursive  functions  over  open  terms 
covers  all  cases.  In  this  thesis  we  generalize  the  closed  world  assumption  and  simultaneously 
restricted  the  open  world  assumption. 

The  result  is  the  regular  world  assumption  which  allows  datatypes  to  be  open  ended  but 
requires  its  extensions  to  be  regular  in  structure.  It  enables  us  to  reason  about  M 2  proof  terms 
and  to  determine  if  they  cover  all  cases.  Each  proof  term  is  augmented  with  a  description  of  the 
world  it  is  defined  in,  which  ensures  that  only  recursive  functions  defined  in  compatible  regular 
worlds  can  call  each  other. 

Returning  to  the  example,  an  A^-proof  term  that  maps  first-order  natural  deduction  deriva¬ 
tions  to  first-order  sequent  derivations  has  to  recurse  on  open  subformulas  of  universal  formulas. 
In  the  case  of  a  higher-order  encoding  of  terms,  each  traversal  of  the  A-binder  that  represents  a 
bound  variable  extends  the  set  of  constructors.  Clearly,  those  extensions  are  regular. 

Under  the  regular  world  assumption,  is  a  type  theory  of  partial  functions  that  ranges 
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over  higher-order  and  dependently-typed  LF  objects.  That  is  also  a  sound  logic  to  reason 
about  deductive  systems  is  one  of  the  main  contributions  of  this  thesis.  Proof  terms  of  are 
recursive  functions  witnessing  the  provability  of  (meta-) theorems  about  deductive  systems.  For 
this  interpretation  to  hold,  proof  terms  must  be  realizers,  i.e.  they  are  total  recursive  functions, 
that  make  always  progress  and  terminate  eventually  on  every  input. 

More  precisely,  progress  is  given  if  case  analysis  covers  all  cases,  a  property  that  follows  from 
techniques  similar  to  definitional  reflection  [SH93a],  Termination  on  the  other  hand  follows  if  a 
measure  associated  with  each  on  recursive  calls  decreases  every  time  a  call  is  executed  [RP9G]. 
Under  these  restrictions  all  proof  terms  of  M 2  are  realizers  and  therefore  as  a  meta-logic 
is  sound. 

As  consequence  for  the  logic  example,  any  total  function  in  that  maps  any  natural 
deduction  derivation  to  som,e  sequent  derivation  is  a  proof  of  the  soundness  of  the  embedding, 
and  vice  versa,  any  total  function  in  that  maps  any  sequent  derivation  to  some  natural 
deduction  derivation  realizes  the  completeness  proof. 

A  similar  approach  toward  the  design  of  a  meta-logic  has  been  taken  by  Miller  and  McDowell 
[MM97]  with  their  system  FOXAIN .  FOXaf v  is  a  meta-logic  based  on  an  intuitionistic  first  order 
logic  extended  by  natural  number  induction  and  inductive  definitions  [SH93b].  It  supports  the 
representation  of  various  logical  frameworks,  for  example  the  intuitionistic  and  linear  framework 
of  hereditary  Harrop  formulas  [McD97].  The  embedded  logical  frameworks  are  used  to  represent, 
deductive  systems.  Different  from  the  soundness  argument  presented  in  this  thesis,  the  soundness 
of  FOXA1N  follows  by  a  cut-elimination  argument  [MMOO]. 

From  a  purely  logical  perspective,  is  weak,  since  the  only  connectives  defined  for  it  are 
universal,  existential  quantifiers,  conjunction  and  truth.  In  addition  it  is  restricted  to  conjunc¬ 
tions  of  F^Tormulas,  i.e.  formulas  that  consist  of  a  block  of  universal  followed  by  a  block  of 
existential  quantifiers.  There  are  no  propositional  constants  and  it  does  neither  provide  impli¬ 
cation  nor  disjunction  nor  negation  nor  equality.  Nevertheless  AlJ  draws  its  representational 
power  from  the  underlying  logical  framework  LF. 

Because  of  the  expressive  strength  of  higher-order  representation  principles  proofs  in  M.\ 
are  very  efficient.  For  example  substitution,  weakening,  strengthening,  and  exchange  lemmas 
are  implicitly  provided  by  LF,  and  therefore  they  do  not  have  to  be  proven  explicitly.  This 
is  a  tremendous  win  compared  to  systems  that  cannot  use  higher-order  encodings  due  to  the 
positivity  condition.  Therefore,  proofs  in  are  in  general  shorter,  more  concise  and  more 
elegant. 

Implementation  of  the  Meta-Logical  Framework 

The  logical  framework  LF  and  the  meta- logic  M 2  are  implemented  in  the  Twelf  system  [PS99b]. 
In  addition,  we  have  implemented  two  proof  search  algorithms:  one  algorithm  searches  for  LF 
objects  of  given  LF  type,  and  the  other  search  for  proof  terms  in  Decause  of  the  judgmcnts- 
as-types  and  the  derivations-as-objects  paradigm,  the  LF-theorem  prover  is  logic  independent. 

As  opposed  to  traditional  general  purpose  theorem  provers  which  are  designed  to  search  for 
derivations  in  a  particular  deductive  system,  such  as  for  example  first-order  logic  with  or  without 
equality,  Twelf ’s  -theorem  prover  is  considered  to  be  special  purpose  theorem  prover.  It  is 

designed  to  reason  about  deductive  systems  in  general,  and  logics  and  programming  languages 
in  particular.  In  its  current  version,  Twelf  is  designed  to  be  mostly  automatic.  In  particular,  it 
does  not  provide  any  mechanisms  for  user-specified  tactics  or  tacticals.  Neither  does  it  employ 
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any  form  of  rewriting.  For  each  theorem  we  only  specify  a  sequence  of  lemmas,  the  induction 
variables-,  and  an  upper  bound  for  search.  The  proof  is  completely  automatic  in  every  other 
respect. 

The  Twelf  system  is  entirely  written  in  Standard  ML.  The  latest  version  is  available  through 
the  Twelf  homepage  http :  //www .  twelf .  org. 

Application  of  the  Meta-Logical  Framework 

The  technology  presented  in  thesis  can  be  used  to  reason  about  prototypes  of  new  programming 
languages,  compilers,  abstract  machines,  operational  semantics,  natural  deduction  calculi,  and 
sequent  calculi.  In  particular,  in  this  thesis  we  report  on  the  deductive  power  of  Twelf  and  many 
experiments:  In  the  area  of  programming  languages  for  example,  Twelf  has  been  used  to  derive 
several  important  properties  about  Mini-ML,  that  is  a  version  of  an  ML-like  language  without 
references,  module  system  and  exceptions.  Mini-ML’s  operational  semantics  is  type  preserving, 
and  it  is  complete  with  respect  to  a  reduction  semantics.  Furthermore,  we  have  used  Twelf  to 
show  the  completeness  of  compiling  and  executing  Mini-ML  programs  on  a  continuation  passing 
machine,  similar  to  the  CPM  machine  [FSDF93]. 

The  Church-Rosser  theorem  for  the  simply-typed  A-calculus  is  the  running  example  used  in 
this  thesis.  Using  the  standard  decomposition  of  the  development  into  a  sequence  of  lemmas 
Twelf  can  prove  all  of  them  automatically.  It  constructs  a  proof  that  is  very  similar  to  the  one 
given  in  [Pfe93]. 

Many  of  our  experiments  include  meta-theorems  about  logics:  We  have  used  Twelf  to  show 
the  equivalence  of  natural  deduction  and  sequent  formulation  of  first-order  intuitionistic  logic. 
Twelf  has  also  shown  that  the  Hilbert  derivations  can  be  transformed  into  natural  deduction 
derivations.  For  logic  programming  in  the  fragment  of  hereditary  Harrop  formulas,  we  have  used 
Twelf  to  show  that  the  search  for  uniform  derivations  and  resolution  are  equivalent. 

It  took  Twelf  less  than  seven  minutes  on  a  Pentium  II/400Mhz  to  show  that  cut-elimination 
holds  for  full  intuitionistic  logic.  Consequently  first-order  logic  is  sound  [Gen35]. 

Further  examples  stem  from  the  area  of  category  theory:  Twelf  has  been  used  to  show  the 
existence  of  an  embedding  from  Cartesian  closed  categories  into  the  simply  typed  A-calculus. 
The  experiments  express  that  the  theorem  proving  technology  described  in  this  thesis  is  powerful 
enough  to  prove  theorems  far  outside  the  realm  of  traditional  theorem  provers. 

Twelf  is  currently  actively  used  in  other  research  groups  for  example  at  Princeton  to  inves¬ 
tigate  logics  for  proof  carrying  code  [Nec97].  Appel,  Felten,  and  Felty  for  example  are  using 
Twelf  to  build  a  generic  architecture,  that  is  applied  in  research  on  proof  carrying  code  [AFOO], 
and  proof  carrying  authentication  [AF99],  At  Stanford,  Stump  and  Dill  are  applying  Twelf  to 
develop  proof  terms  for  decision  procedures  [SD99], 


1.1  Contributions 

The  first  contribution  of  this  thesis  is  the  design  of  the  meta-logic  M^.  It  is  novel  in  that  it 
combines  higher-order  representation  techniques  and  dependent  types  provided  by  the  logical 
framework  LF  types  with  inductive  definitions,  a  combination  that  has  never  been  attempted 
before.  One  of  the  main  consequences  of  this  approach  is  that  the  closed  world  assumption 
underlying  standard  inductive  definitions  is  not  general  enough  to  accommodate  arguments 
over  higher-order  encodings;  this  observation  leads  to  the  regular  world  assumption  that  allows 
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for  dynamic  and  regular  extensions  of  inductive  definitions.  .M .j  *s  sound  by  a  realizability 
interpretation  of  its  proof  terms  as  total  functions. 

The  second  contribution  is  the  implementation  of  the  meta-logic  M 2  in  the  Twelf  sys¬ 
tem  [PS99b].  Because  of  higher-order  representation  techniques,  proofs  of  difficult  theorems 
have  still  concise  and  elegant  forms  in  Ad  2  •  We  have  implemented  two  proof  search  algorithm, 
one  for  LF  and  the  other  for  Ad^.  The  expressive  strength  of  LF  together  with  the  deductive 
strength  of  Ad  2"  makes  Twelf  a  powerful  meta- logical  framework. 

The  third  contribution  is  the  application  of  Twelf  to  many  problems.  It  has  been  successfully 
employed  to  derive  the  meta-theory  of  a  variety  of  examples  from  the  areas  of  functional  pro¬ 
gramming  languages,  type  theories,  operational  semantics,  abstract  machines,  compilers,  and 
logics. 


1.2  Outline 

This  thesis  is  organized  in  three  parts.  The  first  part  is  designed  to  give  the  reader  an  overview 
about  the  background  of  LF  and  motivate  how  to  use  it  as  a  representation  language  for  deductive 
system.  Specifically,  in  Chapter  2,  we  use  the  example  of  the  simply-typed  A-caleulus  and  the 
standard  reduction  rules  to  motivate  dependent  types,  higher-order  representation  techniques, 
canonical  forms  and  the  desired  adequacy  of  encoding.  The  simply  typed  A-caleulus  and  its 
meta-tlieory  are  the  running  example  throughout  this  thesis.  I11  Chapter  3,  for  example,  we 
prove  a  sequence  of  lemmas  that  eventually  leads  up  to  the  proof  of  the  Church- Rosser  theorem. 
Among  others,  we  present  the  proof  the  diamond  lemma  in  detail.  The  proofs  of  all  lemmas 
and  theorems  can  be  computationally  interpreted  as  functions,  and  they  demonstrate  thus  the 
design  principles  behind  the  type  theory  AdJ  which  we  present  in  the  second  part  of  this  thesis. 
Specifically,  first  we  motivate  it  in  Chapter  4  and  expose  the  necessity  to  dynamically  extend 
the  set  of  constructors  for  LF  types  under  the  regular  world  assumption.  In  Chapter  5  then, 
we  make  the  informal  constructions  from  Chapter  4  formal  by  defining  appropriate  judgments 
and  rules  for  Ad.J.  Informal  proofs  are  represented  as  proof  terms  in  AdJ  ■  Moreover  establish 
two  side  conditions,  coverage  and  termination,  that  informally  enforce  that  all  proof  terms  once 
evaluated  always  make  progress  and  are  guaranteed  to  terminate.  The  meaning  of  Ad  J -proof 
terms  is  defined  via  a  big-step  operational  semantics  in  Chapter  6;  it  is  type-preserving,  but 
insufficient  to  show  that  all  proof  terms  of  Ad.j"  are  realizers.  Therefore,  we  introduce  a  state- 
based  abstract  machine,  its  transition  rules  and  syntactic  criteria  for  coverage  and  termination 
in  Chapter  7;  the  main  result  of  this  chapter  is  that  any  proof  term  in  M\  satisfying  those  two 
criteria  is  a  realizer,  warranting  that  the  interpretation  of  M\  as  a  meta-logic  is  sound.  In  the 
third  and  last  part  of  this  thesis,  we  sketch  the  implementation  of  a  proof  search  algorithm  for 
realizers  in  AdJ ,  we  discuss  its  implementation  in  the  Twelf  system,  and  we  demonstrate  how 
to  use  Twelf  to  prove  the  Church-Rosser  theorem  automatically  in  Chapter  8.  Additionally,  we 
briefly  report  on  other  experiments  already  conducted  with  the  Twelf  system.  Finally  we  assess 
the  results  of  this  thesis  and  discuss  future  work  in  Chapter  9. 
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Part  I 


Background 
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Chapter  2 

Logical  Frameworks 


2.1  Introduction 

The  development  of  programming  languages  is  a  challenging  endeavor,  and  much  more 
widespread  than  one  might  expect  at  first  glance.  Besides  standard  programming  languages, 
such  as  C,  C++,  LISP,  ML,  and  many  others,  there  are  scripting  languages  such  as  HTML, 
XML,  PERL,  or  T^X,  and  query  languages  such  as  SQL,  or  XQL  which  can  be  categorized  as 
programming  languages. 

We  can  make  a  very  similar  observation  about  logics.  Logics  are  very  important  “languages” 
to  express  properties  about  any  kind  of  system.  Specification  logics,  temporal  logics,  and  modal 
logics,  are  used  in  software  engineering  and  model  checking  to  describe  large  systems.  Logics 
are  also  used  to  describe  properties  of  secure  systems  and  they  form  the  foundation  for  logic 
programming  languages. 

If  a  developer  follows  sound  design  principles  when  drafting  a  programming  language  or 
a  logic,  the  user  of  the  language  will  benefit  from  it;  programs  are  easier  to  write,  easier  to 
compile  and  very  often  easier  to  maintain.  For  example,  a  sound  design  principle  underlying 
functional  programming  languages  is  that  the  evaluation  of  programs  preserves  types.  Similarly 
a  sound  design  principle  underlying  a  specification  logic  is  consistency.  Since  results  such  as  type 
preservation  of  an  operational  semantics  and  soundness  of  an  inference  system  always  express 
properties  about  the  designed  language  or  logic,  we  call  these  results  meta-logical  properties.  It 
is  very  important  to  verify  all  desired  meta-logical  properties  after  each  change  in  the  design 
of  a  programming  language,  e.g.  adding  new  constructors  to  the  language  could  violate  type 
preservation,  and  similarly,  adding  new  connectives  and  new  inference  rules  to  a  logic  could 
render  it  unsound. 

In  this  work  we  are  not  concerned  with  the  design  principles  themselves,  but  rather  with  tools 
which  support  the  design  process.  In  this  chapter  we  are  primarily  interested  in  the  encoding 
of  systems  such  as  programming  languages,  operational  semantics,  and  logic  calculi  whereas  in 
the  subsequent  chapters  we  investigate  and  devise  a  system  which  allows  the  formalization  and 
automatic  derivation  of  their  meta-logical  properties.  Concretely,  we  begin  with  the  presentation 
of  the  simply-typed  A-calculus  with  an  appropriate  reduction  semantics  for  which  we  then  give 
its  well-known  encoding  in  the  logical  framework  LF.  It  is  the  basis  of  the  running  example 
which  is  used  throughout  this  thesis:  in  Chapter  3,  for  example,  we  derive  its  Church-Rosser 
property  informally,  in  Chapter  4  formally,  and  in  Chapter  8  automatically. 
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2.2  The  Simply-Typed  A-Calculus 

The  A-calculus  has  been  introduced  by  Church  [CR36]  as  a  model  for  partial  functions.  Ini¬ 
tially,  it  was  only  of  theoretical  interest  and  it  served  as  a  vehicle  for  the  study  of  computable 
functions.  In  particular  it  has  be  shown  that  each  Turing-complete  function  is  also  computable 
in  the  A-calculus  and  vice  versa  [Rog92].  A  few  decades  later,  with  the  growth  of  the  field  of 
computer  science,  the  A-calculus  has  gained  a  strong  foothold  in  the  area  of  basic  computer  sci¬ 
ence  and  functional  programming  language.  Specifically,  with  the  programming  language  LISP, 
a  functional  programming  languages  based  on  the  A-calculus,  it  has  gained  a  lot  of  influence, 
and  helped  to  shape  the  area  of  artificial  intelligence. 

The  definition  of  A-terms  (which  we  simply  call  terms  below)  is  deceptively  simple.  A  term 
can  be  of  the  form 

1.  Ax.e,  where  A  is  a  binding  operator,  x  a  variable  and  c  is  the  body  of  the  term, 

2.  e\  e<2,  where  ej,e2  are  two  subterms,  or 

3.  .t,  simply  a  variable. 

The  term  Xx.e\  can  be  interpreted  as  a  function,  which  may  be  applied  to  an  argument 
Strictly  speaking  (A.r.ei )  e<2  reduces  by  substituting  e 2  for  x  in  e\.  an  operation  for  which  use 
the  following  notation  eftez/x].  Any  expression  of  the  form  (Ax.ei)  e*2  is  called  a  redex. 

How  exactly  reduction  is  executed  is  expressed  by  the  operational  semantics  of  the  A-calculus 
which  is  given  by  reduction  rules.  In  general,  reduction  rule  of  the  form  Ihs  rhs  can  be  applied 
to  any  subterm  of  a  given  term;  applying  a  reduction  rule  means  to  replace  the  subterm  which 
matches  the  shape  of  the  left  hand  side  Ihs  of  a  rule  and  replace  it  by  the  right  hand  side  rhs , 
where  the  free  schematic  variables  have  been  instantiated  accordingly. 

Xx.e  =>a  A  y>e[y/x] 

(A.r.ei)e2  =>p  <“i  V'-i/'A 

Informally  the  first  rule  called  the  a-rule  allows  arbitrary  renaming  of  bound  variables.  It 
requires  that  y  does  not  occur  freely  in  e  already.  The  second  rule  is  called  /3-rule  and  it 
simplifies  rediccs.  Therefore  a  redex  is  also  known  as  ft -redex.  I11  the  example  the  application 
of  two  identity  functions  to  each  other  reduces  to  just  one  identity  function: 

(Xx.x)  (Ay.?/)  =»y  (Ay.?/) 

We  will  not  consider  the  a-rule  any  further  because  we  can  assume  that  substitution  application 
will  avoid  variable  capturing.  This  is  a  quite  common  assumptions  and  easy  to  enforce.  Replacing 
x  in  e\  by  e2  requires  to  first  rename  all  variables  in  e2  away  from  variables  in  e\.  This  implicit 
operation  guarantees  that  the  substitution  can  be  safely  executed  [Chu40]. 

Types  are  an  important  vehicle  in  programming,  because  they  can  be  used  to  capture  invari¬ 
ants.  I11  this  sense,  the  untyped  A-calculus  has  only  one  type,  because  everything  is  a  term,  and 
one  cannot  distinguish  between  functions  and  non-functions  which  attaches  a  rather  misleading 
meaning  to  the  name  “untyped”  A-calculus.  The  more  refined  the  concept  of  types,  the  more 
invariants  the  type  system  can  capture. 

For  the  purpose  of  our  example,  we  introduce  now  a  simple  type  system  which  goes  back  to 
Church  [Chu41]  and  differentiates  between  atomic  and  function  types.  The  syntactic  formation 
rules  are  expressed  using  standard  extended  Backus  Naur  form  notation  (EBNF): 
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Types:  r  ::=  a  \  t\  — »  r<i 

This  refinement  of  the  untyped  A-calculus  has  its  effects  on  terms:  For  the  typing  rules  to  be 
sound  which  we  will  introduce  below,  we  must  endow  bound  variables  with  type  information. 

Terms:  e  x  \  Xx  :  r.e  |  e\  e 2 

We  call  a  term  closed ,  if  all  variable  occur  in  the  scope  of  a  A-binder.  For  example,  the  term 
\x  :  r.x  is  closed  whereas  Ax  :  r.y  is  not.  Terms  which  are  not  closed  are  called  open . 

Types  allow  us  to  separate  valid  terms  from  invalid  terms  via  a  deductive  system.  In  general, 
deductive  systems  are  defined  by  a  set  of  judgments  and  a  set  of  inference  rules.  A  judgment 
is  an  informal  statement,  the  inference  rules  help  to  establish  its  truth  in  the  following  way: 
A  judgment  is  said  to  be  evident,  if  it  can  be  deduced  from  axioms  by  applying  the  inference 
rules.  For  simplicity  we  think  of  axioms  as  inference  rules  without  any  premisses.  For  a  very 
enlightening  presentation  we  refer  the  interested  reader  to  the  work  of  Martin- Lof  [ML80]. 

We  assert  that  a  term  e  is  valid  by  the  judgment:  “term  e  has  type  r”  and  which  we 
abbreviate  with  e  :  r.  There  are  only  two  inference  rules  for  this  judgment  which  we  give  in 
natural  deduction  style. 


- u 

b  x  :  T\ 


* 


h  e  :  t2 

- tplam“ 

h  Xx  :  T\.e  :  t\  -¥  t2 


I-  ei  :  T2  n  h  e2  :  T2 
H  e\  e2  :  t\ 


tpapp 


The  rule  tpapp  is  an  inference  rule  with  two  premisses  which  reads:  if  the  judgment  e\  : 
T2  — >  T\  holds,  and  e2  :  t2  then  the  judgment  ei  e2  :  t\  holds,  too.  The  rule  tplam-is  slightly 
more  complicated,  because  it  introduces  an  additional  assumption  marked  by  the  label  u  which 
is  discharged  when  the  rule  is  applied.  Note  that  there  are  no  axiom  rules.  Deductions  can  only 
be  closed  by  introduced  hypotheses. 

Going  back  to  the  previous  discussion,  the  introduction  of  types  and  the  typing  relation 
makes  a  distinction  between  valid  and  invalid  terms  possible:  A  term  e  is  valid  if  there  is  a  type 
r  and  e  :  r  is  derivable  from  the  two  rules  above.  If  not,  it  is  invalid.  For  any  type  r  the  term 
(Xx  :  t.x  x )  for  example  is  invalid,  because  when  considering  the  body  of  the  term,  if  x  has  type 
r,  the  rule  tpapp  is  not  applicable,  and  neither  is  tplam. 

The  reduction  rules  from  the  untyped  A-calculus  endowed  with  types  at  the  variable  binders 
form  the  reduction  rules  for  the  simply-typed  A-calculus. 


Xx  :  r.e  A y  :  T.e[y/x] 

(Xx  :  r.ei)  e2  =>/?  ei[e2/a;] 

On  the  more  pragmatic  side,  there  are  terms  in  the  untyped  A-calculus  which  allow  infinitely 
many  applications  of  the  reduction  rules,  as  for  example: 


(Xx.x  x)  (Xx.x  x)  =r-fi  (Xx.x  x)  ( Xx.x  x)  •  •  • 
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This  particular  infinite  rewrite  sequence  cannot  be  derived  with  the  reduction  rules  in  the  simply- 
typed  case  if  we  stipulate  that  we  are  only  working  with  valid  terms.  As  we  have  seen,  the  term 
(Xx  :  r.x  x)  cannot  be  assigned  a  type,  and  hence,  all  "terms  in  this  rewrite  sequence  are  ill-typed. 
As  a  matter  of  fact,  we  can  show  that  for  each  well-typed  term,  there  is  only  a  finite  sequence 
of  reduction  step  before  no  reduction  step  is  applicable  no  more.  The  right-most  term  of  such 
a  sequence  is  called  a  normal  form t  of  the  initial  term,  and  as  we  will  discuss  now,  it  is  always 
unique. 


2.2.1  Reduction  Relations 

The  reduction  rules  of  the  simply-typed  A-calculus  are  commonly  used  to  assign  meaning  to  a 
term.  One  way  of  doing  this  is  to  identify  all  terms  that  reduce  to  the  same  result  as  a  class,  and 
to  pick  one  witness  of  the  class  as  a  semantic  representative.  Is  this  semantic  well-defined?  Is 
it  sound?  Needless  to  say,  that  in  order  to  decide  if  two  terms  mean  the  same  thing  we  have  to 
check  that  they  are  in  the  same  class.  Is  it  possible  to  calculate  the  class  representative  for  each 
term  quickly  and  effectively?  Is  the  meaning  of  each  term  unique?  In  this  section  we  formally 
define  an  appropriate  reduction  relation  for  the  simply  typed  A-calculus  for  which  we  prove  the 
unique  existence  of  class  representatives  in  Section  3.2.  This  class  representative  is  commonly 
referred  to  as  normal  form. 

Informally,  we  apply  the  /3-reduction  rule  in  the  following  way:  for  a  given  term,  select  a 
subterm,  match  it  with  the  left  hand  side  of  a  reduction  rule  and  then  replace  it  by  the  right 
hand  side.  In  the  following,  we  make  this  more  precise.  To  assert  that  a  term  e  reduces  to  a 
term  e!  in  one  step,  we  use  the  judgment  e  — »  ef .  The  rules  which  define  this  judgment  are  as 
follows: 


(Xx  :  r.e i)  e2 


l 


ei[e2/x] 


rbeta 


i  / 
e  — >  e 


rlam 


A.t;  :  r.e 


A.?;  :  r.e! 


ei 


e[ 


i  / 
e\  e2  — >  el  e-2 


rappi 


e2 


l  / 

e\  62  — >  ei  e-2 


rapp2 


For  any  given  term,  there  might  be  more  than  just  one  possibility  to  apply  a  reduction  rule. 
Consider  for  example  the  well-typed  term  Ax  :  r.(Ay  :  r.y)  ((A z  :  t.x )  x )  which  can  reduce  in 
one  step  to  two  different  terms:  Xx  :  t.(\z  :  t.x)  x  and  Ax  :  r.(Ay  :  r.y)  x.  First,  the  body  of 
the  entire  expression  is  amenable  for  /^-reduction  as  this  derivations  shows: 

- rbeta 

(Ay  :  r.y)  ((Az  :  r.x)  x)  — »  (A z  :  t.x)  x 

- rlam 

Ax  :  r.(Ay  :  r.y)  ((Az  :  r.x)  x)  — >  Ax  :  r.(Az  :  r.x)  x 
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* 


* 


Second,  the  argument  inside  the  body  is  also  amenable  for  /3-reduction. 


(A z  :  t.x)  x  — 


rbeta 


raPP2 


(A y  :  T.y )  ((A z  :  t.x)  x)  — >  (A y  :  T.y)  x 
\x  :  r.(Ay  :  r.y)  ((Xz  :  t.x)  x)  — U  Aa;  :  r.(A y  :  T.y) 


rlam 


x 


Repeated  applications  of  single-step  reduction  sequence  are  captured  by  the  multi-step  reduction 
relation:  If,  for  example,  e\  — e2  and  e2  — e3  and  e3  >  e4,  then  we  write  e\  — e^. 
Clearly,  e  — >  e'  is  again  a  judgment,  which  we  define  by  two  inference  rules. 


Finally,  we  define  the  conversion  relation  as  the  reflexive,  transitive,  and  symmetric  closure 
of  the  multi-step  reduction,  ei  and  en  are  convertible  if  and  only  if  the  new  judgment  e\  < — >  e2 
is  derivable  using  the  following  inference  rules: 


rsymm 


rtrans 


It  is  very  easy  to  see,  that  there  is  a  derivation  of  Aa:  :  t.(Xz  :  t.x)  x  < — »  Aa:  :  r.(Ay  :  r.y)  x. 

To  guarantee  soundness  of  the  reduction  semantics,  we  need  to  show  the  well-known  Church- 
Rosser  property,  that  is  that  any  two  convertible  terms  reduce  to  the  same  unique  normal  form 
given  that  their  reductions  terminate.  The  informal  development  of  this  proof  will  be  the  main 
content  of  Chapter  4.  But  first,  we  investigate  possible  formalizations  of  the  simply-typed  A- 
calculus  in  a  logical  framework,  their  advantages  and  their  disadvantages. 


2.3  Methodology  of  Representation 

The  first  step,  when  using  a  computer  to  facilitate  the  design  and  the  formal  development  of 
a  programming  language  or  a  logic,  is  to  choose  an  appropriate  formalism  to  represent  these 
abstract  systems  or  object  languages  as  we  sometimes  call  them,  in  order  to  make  them  amenable 
for  algorithmic  manipulation  and  automated  reasoning.  As  a  matter  of  fact,  as  we  show  in 
this  thesis,  this  point  cannot  be  overemphasized.  We  will  see,  the  more  elegant  and  direct  a 
programming  language  can  be  represented  —  in  our  example  the  simply  typed  A-calculus  — 
the  easier  it  is  to  do  the  second  step  namely  to  specify  meta-theoretic  properties,  such  as  the 
Church-Rosser  theorem. 

Even  though  the  formalism  to  represent  an  abstract  system  is  called  a  meta-language  in  the 
literature  [HHP93,  McD97]  we  will  not  adopt  this  name  in  order  not  to  confuse  the  reader  with 
the  continuous  overloading  of  the  term  “meta”.  Throughout  this  thesis,  we  use  the  word  “meta” 
only  to  refer  to  the  reasoning  layer,  the  upper  level  above  the  representation  layer  in  Figure  2.1. 
For  us,  the  informal  description  and  the  formal  representation  of  a  programming  language  is 
very  close  and  natural,  and  since  the  adequacy  of  representation  is  the  most  basic  assumption, 
we  can  almost  identify  the  informal  and  formal  representation  of  an  abstract  system.  Instead  of 
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Informal  Reasoning 

Church-Rosser  theorem 
Cut-elimination  theorem 
Type  preservation  properties 


Informal  Specification 

Simply-typed  A-calculus 
Logic  calculi 
Operational  semantics 


Logical  Framework 

Type  theory  LF 
Judgments-  as- types 
Derivations-as-objects 


Process  of  representation / formalization / encoding 


Figure  2.1:  Methodology  of  representation 


meta-language,  we  adopt  the  common  name  logical  framework  for  the  representation  language, 
and  we  speak  of  the  encoding  of  an  abstract  system,  such  as  the  simply-typed  A-calculus,  as  the 
image  of  the  representation  in  the  logical  framework. 

In  this  section,  we  motivate  and  describe  the  minimal  requirements  we  stipulate  for  the 
representation  language,  which  gradually  leads  to  the  definition  of  the  logical  framework  LF 
[HHP93].  We  also  review  other  logical  frameworks,  such  as  the  calculus  of  constructions  [Coq86]. 


2.3.1  Type  theory 

The  challenge  in  representing  a  programming  language  or  a  logic  which  is  specified  via  a  de¬ 
ductive  system  is  to  define  suitable  concepts  to  represent  its  components:  the  set  of  judgments 
and  the  set  of  inference  rules.  In  the  past  few  decades  approaches  based  on  type  theory  have 
prevailed.  The  underlying  paradigms  suggest  to  use  types  to  represent  judgments,  and  objects 
to  represent  derivations.  To  show  that,  “a  judgment  is  evident”  reduces  in  type  theory  to  the 
construction  of  an  object,  the  so-called  witness  of  a  type  corresponding  to  the  judgment.  If 
such  a  witness  exists  the  type  is  called  inhabited,  otherwise  uninhabited.  Within  this  paradigm, 
judgments  are  hence  represented  as  types  and  derivations  as  objects. 

In  order  to  validate  formal  arguments  about  derivations  in  a  deductive  systems,  we  must  be 
sure  that  the  objects  in  the  logical  framework  that  are  being  manipulated  naturally  correspond  to 
derivations  in  the  deductive  system  and  vice  versa.  Therefore,  it  must  be  a  priori  enforced,  that 
all  derivations  of  a  deductive  system  stand  in  one-to-one  correspondence  with  their  encodings. 
This  requirement  provides  the  central  justification  of  formalization  and  formal  reasoning  in 
general,  it  must  not  be  destroyed  by  any  extensions  to  the  logical  framework. 

2.3.2  Higher-order  abstract  syntax 

The  issues  which  arise  when  representing  the  simply-typed  A-calculus  from  the  Section  2.2  in  a 
logical  framework  are  manifold.  We  hence  tackle  them,  one  by  one,  and  we  start  with  a  tech¬ 
nique  called  higher-order  abstract  syntax.  Higher-order  abstract  syntax  provides  an  extremely 
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brief  and  elegant  way  of  representing  variables,  and  capture-avoiding  substitutions.  In  our  first 
example  of  the  untyped  A-calculus,  terms  were  defined  by  the  following  syntactic  rules: 

Untyped  terms:  e  ::=  x  \  Xx.e  |  e\ 

Implicitly,  this  syntactic  description  defines  a  judgment  and  a  set  of  inference  rules.  It  is 
very  important  to  understand  the  elegant  uniformity  since  it  is  a  recurring  scheme  throughout 
this  thesis,  and  only  a  deep  understanding  of  this  technique  can  explain  the  benefits  of  all  the 
techniques  which  are  developed  and  discussed  in  subsequent  chapters.  The  judgment  induced 
by  the  syntactic  rules  above  is  simply  “is  an  untyped  term”  for  which  we  simply  write  “term”, 
and  the  inference  rules  are: 

—  x 
term 


.  T  term  term 

- lam  - aPP 

term  term 

Note,  that  the  treatment  of  variables  is  implicit  in  these  rules.  There  is  no  need  for  a  rule  which 
states  that  x  is  a  term,  since  this  assumption  is  dynamically  introduced  by  the  lam  rule  and 
discharged  thereafter.  There  is  a  crucial  difference  in  presenting  the  syntax  of  terms  in  EBNF 
or  as  a  deductive  system.  In  the  former  case,  one  might  first  think  of  representing  variables  as 
strings,  or  integers,  or  some  other  auxiliary  construct,  which  would  lead  to  the  representation 
of  the  two  judgments  as  type  “term”  and  type  “var” 

term  :  type 
var  :  type 

which,  hypothetically  speaking,  would  lead  to  the  following  representation  of  the  object  con¬ 
stants:  “var”  of  type  var  -*  term  which  coerces  variables  to  terms,  “lam”  of  type  var  -4  term  -4 
term,  and  “app”  of  type  term  -4  term  -4  term: 

var  :  var  -4  term 
lam  :  var  -4  term  — >  term 
app  :  term  — >  term  -4  term 

In  the  later  case,  on  the  other  hand,  one  might  be  inspired  to  represent  the  variable  of  the 
untyped  A-calculus  by  a  variable  provided  by  the  logical  framework.  This  is  the  concept  which 
we  predominantly  use  in  this  thesis  and  it  is  called  higher- order  abstract  syntax  [PE88].  It  leads 
to  a  much  simplified  representation  of  terms:  we  only  need  to  represent  one  judgment^  namely 
term.  Formally,  we  write  that  rtermn  =  term,  where  the  “term”  on  the  left  of  the  equality 
symbol  is  the  judgment  “term”,  and  the  “term”  on  the  right  is  a  type.  The  representation 
function  maps  judgments  to  types  and  derivations  to  objects  and  is  written  as  r-n. 

term  :  type 

Using  this  technique,  we  can  inductively  define  the  encoding  of  the  untyped  terms  by  repre¬ 
senting  each  of  the  inference  rules.  In  the  case  of  the  A-binder,  we  must  dynamically  introduce  a 
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new  bound  variable,  x.  Note  that  the  A-binder  to  the  right  of  the  equality  sign  is  the  A-binder  of 
the  logical  framework.  The  e  to  the  left  of  the  equality  symbol  represents  the  derivation  of  the 
premiss.  Throughout  the  thesis,  we  will  name  the  newly  defined  object  constants  in  correspon¬ 
dence  with  the  names  of  the  rules  they  are  representing.  This  greatly  improves  the  presentation 
of  this  material.  In  addition,  it  is  always  be  clear  from  the  context  what  a  name  refers  to. 

r  ~i 

- x 

term 

e 

term 

- larrri 

term  =  lam  (Xx.  ren) 

In  a  similar,  but  much  easier  way,  the  application  rule  is  represented  by  an  object  constant 
“app”.  ei  and  e2  are  simply  symbolic  names  of  the  derivations  of  the  premisses. 

r  n 

ei  e2 

term  term 

- app 

term  =  app  re\~i  re2~i 

In  summary,  the  representation  of  the  lam  and  the  app  rule  are  two  object  constants,  with 
corresponding  names.  Note  that  the  type  of  “lam’’  expresses  that  it  expects  a  function  as 
argument. 


lam  :  (term  -4  term)  -4  term 
app  :  term  -4  term  -4  term 

As  a  side  remark  we  want  to  point  out,  that  both  possibilities  are  correct  in  the  sense  that  it 
is  possible  to  identify  A-terms  with  their  images  in  the  type  theory.  Such  an  encoding  is  called 
adequate.  We  discuss  the  problems  related  to  adequacy  in  the  the  next  subsection. 

Why  is  the  encoding  using  higher-order  abstract  syntax  preferable?  We  make  the  following 
observation:  Closely  associated  with  the  notion  of  a  variable  is  the  notion  of  substitution.  If 
A-terms  were  encoded  as  suggested  in  the  first  solution  with  “var”  and  “term”,  the  reduction 
rules  could  not  be  represented  directly,  because  the  notion  of  substitution  has  to  made  explicit. 
As  example,  consider  the  left  hand  side  C\  [e2/:r]  of  the  /3-reduction  rule  from  Section  2.2.  In 
addition,  the  properties  of  substitutions  must  be  analyzed  and  proven  explicitly  in  order  to  take 
advantage  of  them. 

Lemma  2.1  (Substitution)  If  e\  :  term  with  zero  or  more  occurrences  of  the  variable  x  :  var, 
and  e2  :  term i,  then  there  exists  a  term  eJ ,  where  all  occurrences  of  (  var  x)  have  been  replaced  by 
£2* 

Proof:  The  proof  goes  by  induction  over  e\ .  □ 

Even  though  it  is  easy  in  this  particular  example,  substitution  lemmas  require  in  general  very 
tedious  and  time  consuming  proofs  in  more  complicated  settings.  In  addition,  experience  has 
shown  that  lemmas  of  this  form  are  quite  common  when  experimenting  with  programming 
languages  and  logics.  Most  likely  their  mere  existence  will  pollute  the  proof  search  of  subsequent 
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lemmas  in  the  implementation  which  is  being  discussed  in  Chapter  8.  For  larger  examples,  such 
as  the  entire  simply-typed  A-calculus  (see  in  Section  2.2)  including  a  typing  relation  and  more 
(to  be  discussed  in  Section  3.2),  proving  these  kind  of  lemmas  is  a  necessary,  time-consuming, 
and  simultaneously  not  very  rewarding  activity.  Therefore,  it  is  of  great  benefit,  if  the  treatment 
of  variables  and  substitutions  is  implicit. 

On  the  other  hand,  if  we  represent  terms  with  higher-order  abstract  syntax,  the  substitution 
lemma  comes  for  free  by  the  means  of  the  representation.  rei[e2/xp  for  example  is  encoded 
by  the  /3- rule  of  the  logical  framework.  Since  rAx.ein  =  lam  (Ax  :  term.  rei~1)  where  rxn  =  x , 
it  follows  that  (Ax  :  term.  rei~I)  is  a  function  of  type  term  — >  term.  Moreover,  by  construction, 
if  we  apply  this  function  to  any  other  term  all  variables  x  are  being  replaced  by  the  argument 
term,  hence  force  executing  substitution  in  the  A-calculus.  Consequently,  the  representation  of 
the  left  hand  side  of  the  /3-rule  in  our  object  language  is  simply 

r^ip2/x]n  =  (Ax  :  term.  rep)  re2n 

where  the  juxtaposition  to  the  right  of  the  equality  symbol  is  the  application  operation  of  a 
function  to  an  argument  provided  by  the  logical  framework. 

The  difference  between  first-order  and  higher-order  representation  techniques  is  that  with 
first-order  representations  the  concept  of  substitution  and  the  substitution  application  mecha¬ 
nism  must  be  explicitly  defined  and  the  associated  properties  explicitly  proven.  With  higher- 
order  representations  on  the  other  hand,  we  can  use  the  variables  and  notion  of  substitution 
from  the  logical  framework  and  inherit  all  associated  properties  for  free.  Naturally,  when  us¬ 
ing  higher-order  representation  techniques,  the  proof  of  adequacy  is  more  complicated  and  less 
direct  then  in  the  first-order  case.  The  adequacy  of  representation  is  essential  in  our  approach 
and  therefore  discussed  in  the  next  subsection. 

2.3.3  Adequacy 

Deductive  systems  and  their  representations  in  a  logical  framework  must  correspond  to  each 
other.  The  reason  is  that  any  derivation  in  the  deductive  system  should  be  representable  as 
an  object  in  the  type  theory  and  vice  versa.  In  particular,  after  mechanically  manipulating 
objects  in  the  type  theory,  we  must  be  certain  that  the  results  correspond  to  derivations  in  the 
deductive  system.  In  addition,  if  higher-order  abstract  syntax  is  used,  the  representation  must  be 
compositional,  i.e.  /3-reduction  provided  by  the  logical  framework  corresponds  to  substitution. 
This  correspondence  is  called  adequacy.  The  untyped  A-calculus  can  be  represented  in  a  very 
simple  logical  framework,  as  we  have  seen  in  the  previous  subsection  namely  the  simply-typed 
A-calculus  (which  would  be  the  logical  framework).  On  the  other  hand,  representing  the  simply- 
typed  A-calculus  from  Section  2.2,  requires  a  refined  logical  framework  to  guarantee  the  adequacy 
of  encoding  which  we  motivate  in  this  subsection,  and  which  discuss  in  detail  in  Section  2.4. 

In  Section  2.2  we  have  encountered  well-typed  and  ill-typed  terms.  Since  every  simply-typed 
term  e  can  be  embedded  into  the  untyped  A-calculus,  clearly  re~l  :  term,  but  on  the  flip  side, 
every  ill- typed  term  e '  can  also  be  embedded:  re/~l  :  term.  The  encoding  is  hence  not  adequate. 
It  is  not  because  there  are  too  many  objects  of  type  “term”,  many  more  then  there  are  well-typed 
simply-typed  terms. 

This  observation  motivates  the  solution  which  has  been  widely  accepted  in  the  literature.  In 
order  to  preserve  the  adequacy  of  the  encoding,  we  must  partition  the  type  “term”.  This  can  be 
done  by  indexing  it.  But  by  what?  The  best  solution  is  to  index  it  by  the  type  which  all  objects 
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in  this  partition  share!  Intuitively,  we  partition  the  the  set  of  objects  of  type  “term”,  into  subsets 
corresponding  to  the  different  types.  We  will  see  that  these  subsets  are  pairwise  disjoint  because 
typing  is  unique  (by  Lemma  2.7).  A  consequence  is,  that  by  construction,  ill-typed  terms  do  not 
belong  to  any  of  those  partitions.  Therefore,  strictly  speaking,  the  union  of  all  index  partitions 
yields  the  set  of  simply-typed  terms  we  are  interested  in  but  there  is  an  additional  partition; 
the  partition  of  all  ill-typed  terms.  In  order  to  distinguish  non-indexed  from  indexed  types  we 
continue  to  call  the  former  type  and  the  latter  type  family. 

In  order  to  represent  simply-typed  terms,  we  combine  the  syntactic  formation  rules  for  well- 
typed  terms  and  their  typing  rules,  as  discussed  in  Section  2.2.  The  resulting  deductive  system 
is  described  by  a  judgment  “is  a  term  of  type  r”,  or  short  “term  r”,  and  the  two  inference  rules 
are  given  below. 


- x 

term  r\ 


term  72  term  (72  — >  r\)  term  72 

- - — - lam^  - app 

term  (ti  — *  72)  term  r\ 

The  representation  of  the  judgment,  is  defined  by 

Term  r"1  —  term  rr"1 

where  the  juxtaposition  to  the  right  of  the  equality  symbol  is  the  type  application  operation 
provided  by  the  logical  framework,  which  we  will  discuss  in  Section  2.4.  For  the  remainder  of 
this  section,  it  is  sufficient  to  read  the  argument  to  the  type  family  term  as  index. 

Similarly  to  the  representation  of  the  untyped  A-calculus,  we  obtain  two  equations,  one  for 
the  iam  rule 

r  1 

- x 

term  r\ 


term  72 

- lamT 

term  (t\  ->  72) 


and  another  for  the  app  rule 


=  lam  (A.t  :  term  rr\~].  re“1)  :  term  rr\  — »  T2*1 


r 

e\ 

term  (7*2  T\) 

term  r\ 


e2 

term  r 2 
- app 

=  app  rein  re2n  :  term  rr\~] 


which  implicitly  define  the  constants  lam  and  app.  Types  of  the  simply-typed  A-calculus  are 
represented  by  tp  :  type,  and 


rTi  — >  T2n  =  rrin  arrow  r72n 

where  “arrow”  is  a  constant  defined  in  LF.  For  better  readability  we  use  it  as  an  infix  operator. 
In  summary,  the  representation  of  simple  types,  the  judgment  “is  a  term  of  type  r”  and  the 
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tp 

type 

arrow 

tp  — >  tp  —»  tp 

term 

tp  -4  type 

lam 

(term  T\  — >•  term  Tj)  -»  term  (Ti  arrow  T2) 

app 

term  (T2  arrow  Ti)  — » term  T2  — >  term  T\ 

Figure  2.2:  Type  and  term  constant  declarations 


inference  rules  lead  to  the  constant  declarations  depicted  in  Figure  2.2.  “tp”  is  a  type,  “term” 
is  a  type  family,  and  both  are  alternatively  called  type  constants,  “arrow” ,  “lam” ,  “app”  are 
object  constants.  In  order  not  to  confuse  the  type  with  the  object  level,  we  follow  the  standard 
definitions  in  the  literature  [HHP93],  and  call  the  type  of  a  type  constant  kind ,  and  continue  to 
call  the  type  of  an  object  constant  type.  The  uppercase  variable  names  Tj  and  T‘>  are  universally 
quantified  place  holders  that  can  be  instantiated  with  any  type  Tj  and  Tj. 

As  a  matter  of  fact,  the  distinction  between  objects,  types,  and  kinds  define  already  the 
syntactic  hierarchy  we  require  from  a  logical  framework.  A  complete  list  of  type  and  object 
constant  declarations  is  called  a  signature ,  complete  in  a  sense,  that  each  type  and  each  kind 
used  in  the  signature  does  not  contain  any  undeclared  type  or  object  constants. 

We  return  to  the  question  of  adequacy.  An  encoding  is  adequate,  if  each  derivation  in  the 
deductive  system  has  exactly  one  counterpart  in  the  type  theory  and  vice  versa.  The  adequacy 
result  for  the  representation  of  types  is  in  one  direction  a  straightforward  inductive  argument. 
Let  a\, . . . ,  an  be  atomic  types,  which  are  directly  represented  in  the  logical  framework  as  object 
constants  a\  :  tp  . . .  an  :  tp. 

Lemma  2.2  (Adequacy  of  representation  of  types  I)  If  r  is  a  type,  then  rrn  :  tp 

Proof:  by  induction  on  r: 

Case:  r  =  a,: 


:  tp 


by  assumption 


Case:  r  =  t\  — >■  T2 

* 


rrr  :  tp 

rT2n  :  tp 

rri_l  arrow  rT2~l  :  tp 

rTi  7*2  :  tp 


by  i.h.  on  t\ 
by  i.h.  on  t2 

by  application  provided  by  the  type  theory 

by  definition 


□ 
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The  second  direction  is  not  more  complicated,  but  it  requires  that  the  objects  of  the  logical 
framework  can  be  analyzed  structurally,  i.e.  an  object  must  have  only  finitely  many  shapes.  This 
requirement  is  clearly  not  satisfied  for  types.  Consider  for  example  the  following  three  objects: 


(A.7;  :  tp.  x)  ci{ 

(2.1) 

a  1 

(2.2) 

(Ax  :  tp.  ttj)  ai 

(2.3) 

Obviously,  all  three  have  type  tp.  Moreover,  if  one  stipulates  the  existence  of  an  appropriate 
(3- rule  in  the  type  theory  (as  one  can),  all  three  of  them  reduce  to  a ].  In  other  words,  there  are 
too  many  objects  in  the  type  theory  corresponding  to  exactly  one  derivation  in  the  deductive 
system,  hence  violating  the  desired  and  required  one-to-one  correspondence  between  derivations 
and  objects,  and  hence  clearly  violating  the  adequacy  of  the  representation. 

What  can  be  done?  The  answer  comes  naturally.  We  consider  only  those  objects  in  the  LF 
type  theory,  which  are  canonical,  i.e.  objects  which  cannot  be  reduced  any  further.  In  essence, 
the  logical  framework  we  are  motivating  here,  guarantees  the  existence  of  these  canonical  forms 
for  every  well-typed  object.  The  canonical  form  theorem  is  essential  to  the  whole  thesis,  and 
is  discussed  in  more  detail  in  Section  2.4.  But  note,  that  it  is  implicitly  already  used  here: 
a  canonical  object  T  :  tp  of  the  logical  framework  has  always  the  shape  of  either  of  the  two 
/3-normal  forms:  T  =  aL  or  T  —  T\  arrow  T*>. 

Lemma  2.3  (Adequacy  of  representation  of  types  II) 

If  T  :  tp  is  canonical  then  T  =  rrn  and  r  is  a  type. 

Proof:  by  induction  over  the  canonical  forms  of  T: 

T  =  a-i 

T  =  ra,r 
a-t  is  a  type 


by  assumption 
by  assumption 


T  —  T]  arrow  Ti 

by  i.h.  on  T\ 
by  i.h.  on  Ti 
by  definition 
by  syntactic  rule 


T\  =  rrin  and  t\  is  a  type 

T2  —  rT‘P  and  72  is  a  type 

rTi  T2"1  =  rTj~l  arrow  rT2n  =  T\  arrow  T2 

r\  — >  T‘2  is  a  type 


□ 

In  a  very  similar  way,  we  can  prove  the  adequacy  of  the  representation  of  terms  by  structural 
induction.  But  in  this  example,  /3-normal  forms  do  not  describe  uniquely  the  possible  shapes  of 
an  object  of  type  term:  Consider  for  example  the  two  objects: 

lam  (A.t  :  term  (a\  arrow  02).  lam  (A y  :  term  a\.  app  x  y)) 
lam  (Xx  :  term  (a\  arrow  02).  lam  (app  #)) 
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Both  objects  have  type  “term  (ax  — >•  a 2)  — >  ax  -4  a25\  and  they  correspond  to  the  same 
derivation: 


- x  - y 

term  (ax  <22)  term  a\ 

- app 

term  a2 

- |am  y 

term  ax  — >  a2 

- lam^ 

term  (ax  — y  a2)  — y  ax  — y  o>2 

The  difference  between  the  two  terms  is  one  application  of  the  so  called  77-reduction  rule, 
which  is  also  part  of  the  logical  framework: 

A x  :  A.M  x  M  if  x  does  not  occur  in  M 

For  adequacy,  besides  being  /3-normal,  the  term  must  be  in  77-long  form,  i.e.  the  77-rule  must  be 
applied  in  reverse  direction  until  the  term  cannot  be  expanded  any  further  without  introducing 
a  /5-redex.  Canonical  objects  are  always  in  /5-normal  and  77-long  form.  We  leave  the  details  to 
Section  2.4.  In  our  examples  (2.2),  (2.4)  are  canonical,  and  (2.1),  (2.3),  (2.5)  are  not. 

Since  they  exist,  canonical  objects  can  be  analyzed  according  to  their  structure.  Note,  that 
this  observation  holds  for  objects  of  atomic  and  of  functional  type.  Any  closed  canonical  object 
E  of  type  “term  T”  has  one  of  two  possible  shapes: 

E  =  lam  Ef  where  E 1  :  term  T\  term  T2 

and  T  —  T\  arrow  T2 
E  =  app  E\  E2  where  E\  :  term  (Ti  — >  T) 

and  E2  :  term  Tx 

Any  closed  canonical  object  E  of  type  term  T\  — y  term  T2  has  one  of  three  possible  shapes. 

E  —  Xx  :  term  T\ .  x  where  T\  —  T2 

E  —  Xx  :  term  7\.  lam  (Ef  x)  where  (Ef  x)  :  term  T3  — >  term  T2 

E  =  Xx  :  term  Ti.  app  (E\  x)  (E2  x)  where  (E\  x)  :  term  (T3  arrow  T2) 

and  (E2  x)  :  term  T3 

The  adequacy  theorem  follows  by  two  simple  structural  inductions,  the  proofs  of  the  indi¬ 
vidual  cases  proceed  in  a  similar  fashion  as  the  ones  for  types. 

Lemma  2.4  (Adequacy  of  representation  of  terms) 

1.  If  e  ::  term  of  type  r  which  may  rely  on  assumptions  of  the  form  x\  ::  term  rx, . . .  ,xn  :: 

term  rn  then  ren  :  term  .  rrn  which  possibly  contains  variables  of  the  form  x\  : 
term  rrxn, . . . ,  :  term  rrn~]. 

2.  If  E  :  term,  rrn  is  canonical ,  possibly  containing  variables  of  the  form  x\  : 
term  rrxn,...,xn  :  term  rrn then  E  =  ren  where  e  ::  term  r  which  may  rely  on  as¬ 
sumptions  of  the  form,  X\  ::  term  n, . . . ,  xn  ::  term  rn 

Proof:  by  structural  induction  over  e,  and  E.  □ 
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All  that  remains  to  be  shown  for  the  adequacy  of  encoding  of  terms  is  compositionality, 
i.e.  that  the  /3-rule  of  the  logical  framework  can  be  used  to  represent  substitution  application. 
Compositionality  is  not  important  for  the  adequacy  of  the  representation  of  types,  since  it  does 
not  employ  higher-order  abstract  syntax,  but  is  very  important  for  the  adequacy  result  for  the 
representation  of  terms. 

Consider  a  term  ei,  with  a  free  variable  x.  After  unfolding  the  syntactic  formation  rules,  e\ 
is  a  derivation  of  the  following  form 

- x 

term  r 2 

ei 

term  n 

and  its  representation  in  the  logical  framework  is  a  function: 

r  n 

- x 

term  r 2 

e\ 

term  r\  —  Xx  :  term  rvp.  rein  :  term  rr>p  term  rTin 

Given  another  term  e 2  of  type  7*2,  informally,  the  substitution  means  to  replace  all  occurrences 
of  x  in  e\  by  the  new  derivation  of  C2  ::  term  72.  The  representation  of  e2  yields 

r e<P  :  term 

Clearly,  the  term  (Xx  :  term  rvp.  rein)  re2'1  is  well-typed,  and  it  has  a  canonical  form,  but  does 
it  correspond  to  the  re\[e2 /a;]"1?  The  answer  gives  the  compositionality  lemma  which  is  typically 
considered  part  of  the  adequacy  property.  It  can  be  easily  proven  by  structural  induction  given 
a  precise  definition  of  substitution,  which  we  omit  here. 

Lemma  2.5  (Compositionality)  If  e\  is  a  well-typed  term  which  is  hypothetical  in  x  :: 
term  r, x\  ::  term 1  T\: . . . ,  x7l  ::  term  rn  and  e2  is  a  well-typed  term .  of  type  r ,  then 

re\[e2/x]n  =  (A.t  :  term ,  rr2n.re\~])  re2n 

Proof:  by  structural  induction  over  e\.  □ 

Consequently,  the  representation  of  the  /3-rule  of  the  simply-typed  A-calculus  as  we  intro¬ 
duced  it  above,  is  perfectly  sound.  The  /3-reduction  rule  of  the  logical  framework  can  be  used 
as  a  vehicle  to  represent  substitutions. 

2.3.4  Summary 

Based  on  the  principles  we  have  introduced  in  this  section,  we  can  use  logical  frameworks  to 
reason  formally  about  deductive  systems.  Judgments  are  represented  as  types  and  derivations  as 
objects.  Consequently  inference  rules  are  encoded  as  constants.  I11  this  work,  we  consider  only 
logical  frameworks  that  provide  a  notion  of  objects,  a  notion  of  types,  and  a  notion  of  kinds; 
in  particular,  in  the  next  section  we  discuss  the  logical  framework  LF,  that  provides  dependent 
types,  and  it  satisfies  the  property  that  each  object,  each  type,  and  each  kind  possesses  a 
canonical  form.  It  allows  us  to  use  higher-order  representation  techniques  while  preserving  the 
adequacy  of  the  encoding. 
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2,4  The  Logical  Framework  LF 

There  are  many  logical  frameworks  suitable  for  the  representation  of  deductive  systems.  The 
logical  framework  based  on  the  simply-typed  calculus,  such  as  Isabelle  [Pau94]  requires  extra 
infrastructure  to  guarantee  adequacy  theorems.  For  this  work,  however,  we  restrict  our  consid¬ 
erations  to  a  logical  framework  that  provides  dependent  types,  such  that  LF  [HHP93],  Indeed, 
dependent  types  facilitate  adequate  higher-order  encodings.  Thus,  we  have  chosen  LF  as  the 
framework  of  choice  for  this  thesis.  In  future  work  we  plan  to  extend  this  work  to  other  log¬ 
ical  frameworks,  such  as  for  example  the  calculus  of  constructions  [CH88]  or  the  linear  logical 
framework  [CP96]. 

In  this  section  we  give  a  detailed  overview  over  the  language,  the  judgments,  the  inference 
rules  and  the  meta-theory  of  LF.  Many,  if  not  all  of  these  results  go  back  to  the  work  of  Harper, 
Honsell,  and  Plotkin  [HHP93],  and  the  interesting  reader  is  referred  to  an  excellent  tutorial  by 
PfenningfPfeOO] .  A  detailed  discussion  about  canonical  forms  in  LF  can  be  found  in  [HP99], 
These  are  the  three  standard  references  for  this  section. 

2.4.1  Syntax 

Most  of  the  syntactical  constructions  have  been  motivated  in  the  previous  section.  All  of  them  are 
present  in  the  logical  framework  LF.  LF’s  notion  of  dependent  type  provides  enough  expressive 
power  to  warrant  adequate  representations  of  judgments  as  types,  which  we  denote  with  A. 
Kinds  K  are  needed  to  classify  well-formed  type  families.  The  formation  rules  for  objects  .17 
admit  constants  c,  variables  x,  application  Mx  M2,  A-abstraction  \x  :  A.  M.  Types  are  formed 
from  type  constants  (or  type  families)  a,  type  application  A  M,  and  dependent  types  Ux  :  A\.A2. 
A  dependent  type  binds  an  object  variable  x,  and  allows  other  types  in  its  body  to  dependent 
on  it.  In  other  words,  Ux\  :  A\.A2  is  a  generalized  function  type  A}  ->  A2,  where  the  variable 
x  is  permitted  to  occur  in  the  type  A2.  As  a  matter  of  fact,  we  use  the  notation  A\  — »  A2  if  the 
variable  x  does  not  occur  in  the  type  A2.  Consider  for  example  our  slight  but  not  unreasonable 
simplification  of  the  type  of  the  “lam”  constant 

lam  :  (term  7\  ->  term  T2)  ->  term  (Tx  arrow  T2) 

Strictly  speaking  (term  T\  — t  term  To)  — >  term  (7;  arrow  To )  is  not  a  type  but  a  family  of  types, 
since  neither  Tt  nor  T2  are  declared  anywhere.  To  transform  it  into  a  real  LF  type,  we  need  to 
build  the  n-closure  and  obtain 

lam  :  ITT)  :  tp.  1172  •'  tp.  (term  T\  — >■  term  T2)  — >■ term  (T\  arrow  T2) 

Note,  that  7)  and  T2  are  object  level  variables.  There  is  a  drawback  to  this  complete  notation; 
whenever  the  object  constant  lam  is  used,  it  must  be  first  applied  to  its  domain  and  its  range  type. 
Intuitively,  this  seems  unnecessary  since  they  can  be  easily  be  inferred  from  their  positions  and 
occurrences  in  the  type  itself.  They  must  be  types:  tp!  Indeed,  it  is  safe  to  omit  these  implicit 
arguments  if  one  uses  the  reconstruction  algorithm  proposed  by  Conal  and  Pfenning  [PE88]. 
For  better  presentation,  we  hence  omit  inferable  leading  n-abstractions  throughout  this  thesis, 
without  further  mention.  The  reader  should  bear  this  in  mind 

Kinds:  K  type  |  Ux  :  A.  K 

Types:  A  ::=  a  \  A  M  \  Ux  :  Ai.  A2 

Objects:  M  ::=  c  \  x  \  M\  M2  \  \x  \  A.  M 
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The  representation  of  a  deductive  system  is  a  set  of  constant  declarations.  Type  constant 
declarations  represent  judgments,  and  object  constant  declarations  represent  inference  rules.  A 
collection  of  these  declarations  is  called  signature,  which  we  denote  by  E.  Similarly,  we  introduce 
the  notion  of  a  context  as  a  collection  of  variable  declarations  x\  :  Ai,...,xn  :  An  which  we 
denote  by  T.  Contexts  play  an  important  role  when  we  define  the  semantics  and  validity  of 
object,  types,  and  kinds. 


Signatures:  E  •  |  E,  c  :  A  |  E,  a  :  K 

Contexts:  T  ::=  •  |  T,  x  :  A 

The  •  stands  for  an  empty  signature  and  an  empty  context.  We  simply  omit  it  (and  the 
following  if  the  signature  and  the  context  arc  non-empty  not  to  clutter  the  presentation 
unnecessarily. 

2.4.2  Semantics 

The  semantics  of  LF  type  theory  is  defined  by  a  set  of  of  judgments  and  inference  rules.  Among 
the  necessary  judgments  we  must  specify  what  are  valid  objects,  types,  kinds,  signatures,  and 
contexts.  Note,  that  the  following  judgments  are  all  indexed  by  the  signature  E,  but  we  can 
consider  it  fixed  for  all  our  purposes,  and  therefore  we  take  the  liberty  to  omit  it  from  the  rules 
given  below. 

Judgments: 


Valid  kinds: 
Valid  types: 
Valid,  objects. 


r  1 ~z  K  kind 
r  Fs  A  :  K 
r  Fs  M  :  A 


Valid  signatures:  F  E  sig 
Valid  contexts:  Fv  T  ctx 


In  Section  2.2  and  Section  2.3,  we  have  encountered  two  reduction  rules,  namely  the  ft-  and 
rj-rule.  As  above,  these  rules  also  exist  in  the  dependcntly  typed  setting,  and  they  define  a 
congruence  relation  on  objects,  kinds  and  terms,  which  allows  us  to  identify  all  objects  which 
do  have  the  same  unique  canonical  (i.e.  /3-normal,  r/-long)  form.  Canonical  forms  exist  because 
of  Theorem  2.6  below.  Its  proof  depends  on  the  congruence  judgments  to  include  typing  infor¬ 
mation,  but  in  this  presentation  omit  it  from  the  rules  below  in  order  to  keep  the  presentation 
clean. 


Congruence  on  kinds:  K\  =  Ko  kind 
Congruence  on  types:  A\  =  A2  :  K 

Congruence  on  objects:  Mi  =  M2  :  A 

Rules:  Most  of  these  judgments  are  mutually  dependent,  i.e.  inference  rules  of  one  judgments 
are  defined  in  terms  of  another.  The  rules  defining  these  eight  judgments  are  all  standard.  We 
start  with  the  presentation  of  the  typing  rules  of  kinds. 
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T  b  type  kind 


kndtyp 


F  h  A  :  type  F,  x  :  A  b  K  kind 
r  b  Ux  :  A.  K  kind 


Fh  A:K  K~K!  Y  Y  Kf  :  kind 
T  b  A  :  K' 


kndcnv 


The  typing  rules  for  types  and  type  families  are  defined  as  follows.  They  extend  the  simply- 
typed  A-caleulus  from  the  Section  2.2. 


E(a)  =  K 
Y  \~  a  :  K 


famcon 


rb  Ax  :Ux:  A2.K  Y  b  M  :  A2 
r  b  Ai  M  :  K[M/x) 


famapp 


r  b  A\  :  type  Y,  x  :  A\  b  A2  :  type 
T  b  Yix  :  A\ .  A2  :  type 


fampi 


Note  that  in  the  rule  famapp,  the  free  occurrence  of  x  in  K  must  be  replaced  by  the  object 
M.  A  very  similar  replacement  takes  place  in  the  rule  objapp. 

E(c)  =  A  Y{x)  =  A 

- - -objcon  - objvar 

rbc:4  YYx:A 

Y  b  Ai  :  type  r,  x  :  A1  b  M  :  A2  .  Y  h  Mx  :  Tlx  :  A2.  A\  Y  b  M2  :  A2 

— - objlam  - objapp 

Y  \~  \x  :  A]_.  M  :  Tlx  :  Ai.  A2  Y  b  Mi  M2  :  A1[M2/x] 

Y  b  M  :  A\  A\  =  A2  r  b  A2  :  type 


T  b  M  :  A2 


■  typcnv 


The  rules  for  signatures  are  standard.  Note,  that  the  type  A,  and  kind  K  in  the  rules  sigobj 
and  sigfam  are  well-defined  in  the  signature  to  the  right  of  the  declaration. 


b  E  sig  *  b  A  :  type 

- ^sigemp  - sigobj 

b  ♦  sig  b  E,  c  :  A  sig 


b  E  sig  •  b  K  kind 
b  E,  a  :  K  sig 


sigfam 


Similarly,  the  validity  of  F  is  established  by  the  following  rules. 


b  •  ctx 


ctxemp 


b  T  ctx  r  b  A  :  type 
b  T,  x  :  A  ctx 


ctxobj 


Throughout  any  typing  derivations  of  object,  types  and  kinds,  Y  must  always  remain  valid. 
Instead  of  enforcing  this  condition  locally,  we  push  this  well-typedness  condition  all  the  way  to 
the  axioms.  Read  from  the  bottom  up,  contexts  always  increase.  Hence,  we  must  extend  kndtyp, 
famcon,  objcon,  and  objvar  with  this  additional  premiss.  In  order  not  to  clutter  the  rules,  we 
leave  these  premisses  implicit,  too. 

The  logical  framework  contains  two  rules  for  definitional  equality:  the  /?-  and  the  77-rule. 
As  we  have  discussed  in  Section  2.3,  the  /3-rule  is  helpful  in  the  representation  of  substitution 
lemmas.  In  Chapter  4  we  will  see  further  applications  of  this  hard-wired  substitution  principle 
of  the  framework. 
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(Ax  :  A.  Mi)  M2  =  Mi[M2/x 

- V 

(Ax  :  A.  M  x)  =  M 


P 


x  not  free  in  M 


Similar  to  the  observation  in  Section  2.2.1  these  two  rules  can  be  applied  to  any  subterm  of 
an  object,  or  a  type,  or  even  a  kind.  In  order  to  make  this  kind  of  application  entirely  precise, 
we  define  a  conversion  relation,  naturally,  one  for  each  level.  First,  the  conversion  relation  is 
turned  into  an  equivalence  relation  by  building  the  reflexive,  transitive,  and  symmetric  closure. 


K  =  K 


kndrefl 


A  =  A 


famrefl 


K2  =  Kit  .  K}  =  K2 

- kndsym 

Kx  =  K2 

a2  =  a, 


K2  =  K. 


3 


objrefl 


A]  =  A2 
M2  =  Mi 


famsym 

objsym 


K\ 

=  I<i 

CN 

III 

III 

CN 

Ai 

1. 

=  A, 

Mi  =  M2 

III 

kndtrans 


famtrans 


objtrans 


M  =  M  M  |  =  M-2  Mj  =  Mi 

And  second  it  is  turned  into  a  congruence  relation  =;  conversion  can  be  applied  to  subterms. 


A  =  A' 


ILr  :  A.  K  =  Tlx  :  A1 .  K 
A  =  A' 


cngkndpil 


K  =  K’ 


AM  =  A'  M 
Ax  = 


n.x  :  Ai .  A2  =  n.x  :  A \ .  A2 
A  =  A! 


cngfamappl 

engfampil 


n.x  :  A.  K  =  nx  :  A.  K' 
M  =  M’ 


cngkndpir 


AM  =  AM' 
A2  =  A' 


Ax  :  A.  M  =  Ax  :  A'.  M 
Mi  =  M[ 


cngobjlaml 


n.x  :  Ai .  A2  =  nx  :  A\.  A'2 
M  =  M' 


engfamappr 

engfampir 


Mi  M2  =  Mj  M2 


cngobjappl 


Ax  :  A.  M  =  Ax  :  A.  M' 
M2  =  M2 


cngobjlamr 


Mi  M2  =  Mi  M'2 


engobjappr 


This  concludes  the  formal  presentation  of  the  rules  for  the  logical  framework  LF.  The1  signature 
of  Section  2.3  is  in  fact  a  LF  signature  after  appropriate  reconstruction  of  the  types.  More 
examples  can  be  found  in  Section  2.5,  where  we  encode  the  rewrite1  relations  from  Section  2.2, 
and  in  Chapter  4,  where  we  will  represent  the  Church-Rosser  theorem  based  on  an  argument  of 
parallel  reduction. 


2.4.3  Canonical  Forms 

In  Section  2.3,  we  have  seen  that  canonical  forms  are  indispensable  for  the  adequacy  Lemma  2.3 
and  Lemma  2.4.  Canonical  forms  are  /0-normal,  //-long  forms.  Formally,  this  property  is 
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reflected  in  two  mutually  dependent  judgments:  the  judgment  about  canonical  forms  and 
the  judgment  about  atomic  forms.  Informally  again,  a  canonical  form  Mc  has  the  form 
Aaq  :  A] .  . . .  Xxn  :  An.Ma  where  Ma  is  atomic,  that  is,  its  head  h  is  either  a  variable  or  a 
constant,  and  it  has  generally  the  following  form:  h  Mf  . . .  M£,  where  the  Mf  ’ s  are  canonical. 
To  guarantee  7?-long  forms,  M“  is  required  to  be  of  atomic  type.  As  auxiliary  judgments,  we 
also  need  to  formalize  canonical  types,  which  enforce  that  all  objects  occurring  as  arguments  to 
type  families  in  A-labels  are  also  canonical. 


Judgments 


Canonical  objects: 
Atomic  objects: 

Canonical  types: 
Atomic  types: 


ThMjiA 

r  b  m  i  a 

r  b  A  'ft'  type 
TV-  AIK 


Rules  The  following  rules  define  canonical  objects,  atomic  object,  canonical  types  and  atomic 
types. 

r  b  Ai  it  type  r,  x  :  A\  b  M  f|-  A2  .  r  b  A  |  type  T  b  M  j.  A 
- canpi  - canatm 

F\-  Xx  :  AVM  jlUx  :  AVA2  TbMftA 

T  b  M  f|-  A\  A\  =  A2  r  b  A2  :  type 
- cancnv 

r  b  m  it  a2 


E(c)  =  A 

- atmcon 

TV-  ci  A 

F  b  Mi  J,  na:  :  A2.  Ai  T  b  M2  ft  A2 

- 1  atmapp 

r  b  Mi  m2  1  Ai[m2/x] 


r(x)  =  a 

- atmvar 

TTxlA 

r  b  M  4-  A\  A\  =  A2  r  b  A2  :  type 

- atmcnv 

T  b  M  |  A2 


r  b  Ai  ft  type  T,x:Ai\~A2j\  type 
r  b  Ux  :  A\ .  A2  f4  type 

E(o)  =  K 


cntpi 


attcon 


TTalK 

Th  AiUx  :  A'.K  r  b  M  ft  A'  T  \- A  i  K 

- attapp  - 

r  b  A  M  i  K[M/x } 


T  b  A  4-  type 

- cntatm 

r  b  Aft  type 


K  =  K'  r  b  K  kind 
- attcnv 

r  b  ai  k 


2.4.4  Meta-Theory 

The  adequacy  results  from  Section  2.3  depend  crucially  on  one  property  of  LF:  Every  LF  object 
has  a  canonical  form.  Otherwise  one  could  not  carry  out  an  argument  by  structural  induction 
over  the  form  of  LF  objects,  which  is  necessary  to  establish  that  there  is  a  one-to-one  correspon¬ 
dence  between  derivations  and  objects  in  the  type  theory.  In  Chapter  4  we  will  make  a  very 
similar  observation  and  in  fact  the  entire  formalism  we  present  in  Chapter  5  is  based  on  this 


31 


32 


2.5.  MORE  EXAMPLES 


property:  Every  object  defined  in  the  logical  framework  lias  a  unique  canonical  form,  i.e.  it  is 
/5-normal  and  77-long.  The  interested  reader  may  study  the  proof  in  [HP99]. 

Theorem  2.6  (Canonical  form  theorem) 

1.  If  T  \~  M  A  then  V  M  :  A. 

2.  For  each  object  M  such  that  F  h  M  :  A,  there  exists  a  unique  object  M '  such  that  M  =  Ml 
and  T  h  M!  A.  Moreover ,  Mr  can  be  effectively  computed. 

3.  For  each  object  A  such  that  F  h  A  :  type,  there  exists  a  unique  object  Af  such  that  A  =  A! 
and  r  h  A  ff  type.  Moreover ,  A!  can  be  effectively  computed. 

Proof:  see  [HP99].  □ 

A  direct  corollary  of  the  canonical  form  theorem  is  that  each  object  has  a  unique  type. 

Corollary  2.7  (Uniqueness  of  typing) 

IfThMiAi 
and  F  \~  M  :  A‘2 

then  there  exists  a  unique  type  A  s.t,.  A  =  A  \  =  A 2 
and  T  h  A  type 
and  F  \~  M  :  A 

Proof:  see  [HHP93].  □ 

That  each  object  has  a  canonical  form  and  a  unique  canonical  type  provides  the  theoretical 
foundation  of  the  theory  and  the  logic  development  in  the  subsequent  chapters  in  this  thesis.  The 
necessity  to  have  canonical  forms  is  absolutely  essential,  and  it  cannot  be  emphasized  enough: 
one  can  only  extend  this  work  to  logical  frameworks,  which  possess  these  properties. 


2.5  More  Examples 

The  simply-typed  A-calculus  in  Section  2.2  is  defined  by  its  terms  and  its  reduction  relation.  I11 
particular,  in  Section  2.3  we  have  already  discussed  an  adequate  representation  of  well-typed 
terms.  In  order  to  show  some  more  examples  of  how  to  represent  a  deductive  systems,  specified 
by  its  judgments  and  its  inference  rules,  we  address  now  the  representation  of  the  reduction 
relation.  The  judgment  e\  — is  represented  by  a  type  family  — »  which  we  use  as  an 
infix  operator. 

re]  _4  e,p  =  re)"1  -4  V 

Note,  that  here  again  we  are  overloading  notation  in  order  to  simplify  the  presentation.  We 
use  the  same  arrow  for  the  informal  and  formal  representation  of  the  reduction  relation;  the 
reduction  arrow  must  not  be  confused  with  the  function  arrow  of  LF. 

Because  of  the  elegant  representation  of  variables  of  the  simply-typed  A-calculus  using  higher- 
order  abstract  syntax,  we  can  easily  represent  the  rbeta-rule: 
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r  1 

- rbeta 

(Ax  :  r.e i)  e2  — >  ei[e2 /x]  —  rbeta  ( Xx  :  term  rrn.  rein)  re2~l 

:  app  (lam  (Ax  :  term  rr"1.  rein))  re2n  —4  (Ax  :  term  rr"1.  re i"1))  re2n 
where  rxn  -  x 

Note  that  on  the  right  hand  side  of  the  equation  we  need  not  represent  r  as  argument  to  “rbeta”; 
it  is  implicitly  represented  through  the  type  of  rein  as  is  the  type  of  re2n.  The  representation 
of  the  riam-rule  is  very  similar. 


rlam 


Xx  :  r.e  — »•  Ax  :  r.e' 

=  rlam  (Xx  :  term  rrn.  ren)  (Ax  :  term  rrn.  ren)  (Ax  :  term  rr~l.  rVn) 

:  lam  (Ax  :  term  rr"1.  re’1)  — >  lam  (Ax  :  term  rr~l.  ren) 
where  rxn  =  x 

Differently  from  the  informal  representation,  we  make  the  fact  that  x  might  occur  free  in  V 
unambiguously  explicit.  The  representation  of  V  is  parametric  in  x!  The  third  argument  to 
“rlam”  has  therefore  the  following  type:  nx  :  term  rrn.  re~]  — ^4  ren  where  ~xn  =  x. 
r  -[ 

V 

ex  — e\ 

- rapPl 

ei  e2  — >  e[  e2  =  rapp:  (Ax  :  term  rrn.  rei"1)  (Ax  :  term  rTn.  rei; n)  re2n  rV~l 

:  app  (Ax  :  term  rTn.  re{ 1)  re2~1  — ^4  app  (Ax  :  term  rrn.  re\ n)  r 
where  rx"1  =  x 

Very  similar  to  the  encoding  of  rappx  is  the  rule  rapp2: 

r  i 

V 

l  v  , 

e2  — >  e'2 

- rapp2 

e\  e2  — >  ei  e'2  =  rapp2  (Ax  :  term  rrn.re i1)  re2n  re2n  r2?~l 

:  app  (Ax  :  term  rrn.  rein)  re2n  — U  app  (Ax  :  term  rr"1.  re{1)  re2~l 
where  rxn  =  x 

The  encoding  of  the  single  step  reduction  relation  for  the  simply-typed  A-calculus  is  adequate, 
as  one  can  easily  verify  by  induction. 
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Lemma  2.8  (Adequacy  of  the  representation  of  )  1.  If  V  ::  e i  e^  which 

may  rely  on  assumptions  of  the  form i  x\  ::  term  ti, . . . ,  xn  ::  term i  rn  then  rV~]  :  re{1  —> 
re<2~]  which  possibly  contains  variables  of  the  form ;  x\  :  term .  rT\ n, . . . ,  xn  :  term  rrn~i. 

2.  If  D  :  rein  — ^  re2n  is  canonical ,  possibly  containing  variables  of  the  form  x\  : 
term  rTin, . . . ,  xn  :  terra  rr„~1?  then  D  =  rDn  where  T>  ::  e\  — ^  e2  which  may  rely 
on  assumptions  of  the  form  x\  ::  term .  rj, . . . ,  #n  ::  term  rn 

For  all  other  encodings  in  remainder  of  this  thesis  we  will  not  write  out  the  adequacy  theorems 
explicitly  any  more.  They  always  follow  the  same  scheme.  Omitting  inferable  arguments,  we 
obtain  as  extension  of  the  LF-signature  from  Section  2.3  the  adequate  encoding  of  the  — U  - 
relation. 


— »  :  term  T  -4  term  T  -4  type 

rbeta  :  (app  (lainEi)  Fb)  — ^  Ei  Ei 

rlam  :  (ILr  :  term  Tj .  E  x  — *->  E'  :/;) 

-4  (lam  E)  (lam  Ef) 

rappi  :  E\  E[ 

->  (app  Ei  E2)  -4  (app  £(  E>) 
rapp2  :  £2  — - ■>  E!2 

-»  (app  Ei  E2)  -4  (app  jBi  £2) 

By  applying  the  same  representation  techniques  discussed  in  this  section,  we  further  extend 
the  signature  by  an  encoding  of  the  multi-step  relation  —4  and  the  conversion  relation  < — •  . 

—4  :  term  T  — >  term  T  — >  type 

rid  :  E  -4  E 

rstep  :  i?  —4  J5' 

E'  -4-  E" 

-4  £" 

< — >  :  term  T  — t  term  T  ->  type 

rrefl  :  E  < — ■>  E 

rred  :  E  —4  E' 

£  < — >  £" 

rsymm  :  £  < — >  E' 

-¥  E'  4 — >  E 
rtrans  :  E  < — >  E' 

E'  4 — >  E" 

->•  E  < — >  E" 


2.6  Function  Spaces 

The  function  spaces,  definable  in  the  logical  framework  LF  are  different,  from  function  spaces 
application  programmers  are  used  to.  In  general,  programming  relies  on  features  such  as  function 
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definition  by  cases  or  if  then  else  constructions  to  code  specific  applications.  Those  features  are 
not  supported  by  the  logical  framework.  In  fact,  the  operational  meaning  of  LF  includes  only 
two  operations:  /9-reduction  and  ^-reduction.  Hence,  LF  is  not  expressive  enough  to  represent 
functions  that  decide  if  a  given  term  is  a  /3-redex. 

Boolean  values:  B  ::=  T  |  _L 

Informally,  the  decision  procedure  can  be  defined  by  pattern-matching 

A  E  :  term  T.  case  E 

of  (app  (lam  E\)  E^)  T 
|  (app  (app  Ei  E2))  _L 
|  (lam  E!)  i — y  _L 

and  clearly,  this  function  is  cannot  further  normalized  since  its  argument  E  is  only  given  at 
run-time.  Therefore,  this  function  does  not  possess  a  canonical  form  in  LF,  and  thus  functions 
of  this  kind  violate  the  adequacy  requirement  of  the  encoding. 

Therefore  we  must  distinguish  the  two  function  spaces  from  each  other.  One  function  space 
is  the  LF  function  space  A\  — >  A2 ,  which  contains  all  LF  objects  that  map  objects  of  type  A\ 
to  objects  of  type  A2.  Because  of  the  canonical  form  theorem,  functional  LF  objects  of  this 
type  are  inductively  defined,  and  therefore,  we  call  it  parametric.  In  Section  2.3,  for  example, 
we  have  examined  all  functions  of  the  type  “term  T\  — >  term  T2  \  The  body  of  each  function  is 
either  a  constant  from  the  signature  E,  or  a  local  parameter,  applied  to  arguments. 

We  call  the  other  function  space  recursive ,  because  it  permits  function  definition  by  cases  and 
recursion.  The  question  of  how  to  arrange  it  so  that  the  parametric  and  the  recursive  function 
space  can  safely  coexist  is  one  of  the  main  contributions  of  this  thesis.  In  essence,  the  nature  of 
the  problem  is  that  there  are  too  many  recursive  functions  destroying  our  requirement  for  the 
existence  of  canonical  forms.  It  has  been  shown  that  in  the  setting  of  a  non-dependent ly  typed 
framework  (the  simply-typed  A-calculus)  one  can  express  the  recursive  function  space  in  terms 
of  the  parametric  using  a  modality,  which  satisfies  the  properties  of  the  modal  logic  S4.  We  refer 
the  interested  reader  to  [DPS97,  Lel98]. 

2.7  Summary 

A  logical  framework  is  a  formal  system  which  represents  deductive  systems  using  type  theory. 
Elegant  representations  of  deductive  systems  that  include  variable  concepts  and  appropriate 
substitution  principles  are  facilitated  by  higher-order  representation  techniques.  In  order  to 
guarantee  the  adequacy  of  encoding,  each  object  in  the  logical  framework  must  possess  a  canon¬ 
ical  form.  The  logical  framework  LF  [HHP93],  which  is  the  logical  framework  of  choice  for  this 
thesis,  supports  higher-order  representation  techniques  and  has  proven  to  be  appropriate  for 
the  representation  of  many  deductive  systems  from  logics,  programming  languages,  operational 
semantics,  and  many  others  [Pfe99]. 
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Chapter  3 

Reasoning 


3.1  Introduction 

The  quality  of  any  design  can  be  drastically  improved  by  specifying  and  verifying  associated 
characteristic  properties  during  the  design  process.  For  example,  we  expect  that  a  typed  pro¬ 
gramming  language  satisfies  the  type  preservation  property,  i.e.  that  the  evaluation  of  any  well- 
typed  program  preserves  types.  Similarly,  a  calculus  of  inference  rules  for  any  logic  must  be 
consistent;  if  falsehood  is  derivable,  typically  any  other  formula  is  also  derivable,  a  circumstance 
that  invalidates  consistency.  Following  [Gen3o],  the  consistency  of  the  sequent  calculus  for  first- 
order  intuitionistic  logic  for  example,  follows  from  a  purely  syntactical  argument.  Gentzen  has 
shown  that  any  derivation  with  cuts  can  be  transformed  into  a  derivation  without  cuts  while 
providing  evidence  for  exactly  the  same  judgment,.  By  inspection  of  the  other  inference  rules, 
the  consistency  of  first-order  intuitionistic  logic  follows  easily. 

Therefore,  good  designs  of  deductive  systems  requires  designers  to  reason  about  their  prop¬ 
erties.  In  particular,  the  overall  goal  of  this  thesis  is  to  provide  the  necessary  technology  and 
tools  to  support  and  automate  these  reasoning  tasks.  More  specific  in  this  chapter  we  extend 
the  example  presented  in  Section  2.2  and  develop  as  case  study  the  proof  of  the  Church-Rosser 
property  in  Section  3.2.  Then  we  review  previously  proposed  techniques  to  formalize  meta- 
theoretic  arguments  about  deductive  systems,  and  discuss  briefly  how  far  these  techniques  can 
be  automated  in  Section  3.3. 


3.2  Church-Rosser  Theorem 


The  Church-Rosser  theorem  for  the  simply-typed  A-calculus  states  that  two  convertible  terms 
ei,  e2  have  a  common  reduct  e'  and  two  reductions  from  e\  to  e'  and  from  e2  to  e'.  This  is 
property  is  easily  visualized  by  the  following  diagram. 


ei 


e2 


*  • 


.  * 


In  this  presentation  we  use  solid  arrows  to  represent  given  reductions,  and  dotted  arrows 
for  reductions  whose  existence  is  still  to  be  shown.  The  goal  of  this  section  is  to  develop  the 
Church-Rosser  theorem  for  the  notion  of  reduction  defined  in  Section  2.2.  The  way  we  proceed 
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is  to  introduce  a  new  notion  of  reduction  which  we  call  parallel  reduction  as  opposed  to  the 
other  notion  of  reduction  which  we  call  ordinary  reduction  in  order  to  keep  them  apart.  The 
technique  of  using  parallel  reduction  and  parallel  conversion  for  the  proof  of  the  Church- Rosser 
property  goes  back  to  Martin-Lof  and  Tait  (see  [Bar80]).  We  proceed  as  follows:  First,  we  take 
the  ordinary  reduction  relation  defined  in  Section  2.2  and  prove  some  simple  properties.  Then, 
we  introduce  the  notion  of  parallel  reduction,  show  the  Church-Rosser  property  and  eventually 
finish  with  an  equivalence  proof  between  parallel  and  ordinary  reduction.  But.  the  reader  should 
be  alert:  The  main  goal  of  this  section  is  not  the  theory  itself,  but  rather  the  development  of 
an  example  with  which  we  can  explain  and  test  the  automated  reasoning  engine  we  develop  in 
this  thesis.  The  argument  itself  is  well-known,  and  we  refer  the  interested  reader  to  a  further 
and  more  detailed  explanation  in  [Pfc93]. 


3.2.1  Properties  of  Ordinary  Reduction 

We  begin  now  with  two  easy  proofs  about  ordinary  reductions:  First  we  show  that  the  multi-step 
reduction  is  transitive,  and  second  that  all  inference  rules  for  the  single-step  reduction  relation 
are  still  valid,  even  if  we  exchange  the  single-step  reduction  arrow  — U  by  the  multi-step 
reduction  arrow  . 

More  precisely,  the  first  lemma  expresses  that  two  multi-step  reduction  with  a  common  term 
e"  at  the  end  of  the  first  and  the  beginning  of  the  second  can  be  merged.  This  is  a  very  basic 
and  easy  meta-theorem.  For  example,  it  follows  by  induction  over  the  reduction  ending  in  e". 
By  careful  analysis  of  the  inference  rules,  we  notice  that  the  last  applied  inference  rule  is  either 
the  identity  reduction  rid  or  the  step  case  rstep.  In  the  latter  case,  one  appeal  of  the  induction 
hypothesis  provides  the  right  reduction  derivation  from  which  the  necessary  reduction  can  be 
constructed. 


Lemma  3.1  (Transitivity  of  — )  IfV\  ::  e  ef  and  V 2  ::  e!  e”  then  e  eN. 

Proof:  by  induction  over  V\ : 

Case:  V\  = - rid 

e  — >  e 


V 2  ::  e 


by  assumption 


v\ 


V'l 


Case:  V{ 


rstep 


V  ::  e'" 
Q  ::  e  - 


e 

jt 


by  i.h.  on  and  V2 
by  rstep  011  V\ ,  V 


□ 
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The  proof  of  Lemma  3. 1  visualizes  the  three  most  basic  operations  used  when  reasoning  about 
deductive  systems.  The  first  technique  is  induction.  It  means,  that  the  different  proof  cases 
may  take  advantage  of  the  fact  that  the  induction  hypothesis  holds  for  any  smaller  derivations 
according  to  some  well-founded  ordering.  In  particular,  since  the  argument  is  by  structural 
induction,  the  induction  hypothesis  holds  for  all  subderivations  of  the  given  derivation,  and 
hence  the  well-founded  ordering  is  simply  the  subderivation  ordering.  The  second  technique 
is  case  analysis:  Derivations  can  be  distinguished  by  the  last  applied  rule.  The  third  and  last 
technique  is  the  use  of  other  inference  rules  to  reconstruct  the  desired  result  derivations  (last 
step,  in  the  rstep  case). 

The  second  lemma,  generalizes  the  rules  from  Section  2.2.1.  It  states,  that  the  multi-step 
reduction  can  be  manipulated  with  the  same  rules  that  define  the  single  step  reduction  when 
one  exchanges  the  — >■  symbol  by  the  —4  symbol.  The  rules  are  admissible,  because  they 
require  a  reorganization  of  the  premiss  derivations  in  order  to  arrive  at  the  conclusion. 

Lemma  3.2  (Admissible  rules) 

1.  IfV::e  — 4  e'  then  Xx  :  T2-  e  -4  \x  :  T2-  e' 

2.  IfV  ::  e\  — 4  e\  then  e\  e<i  — 4  e[  e 2 

3.  IfV ::  e2  -4  e2  then  e\  e2  -4  e\ 

Proof:  by  structural  induction  over  V 

1.  Case:  V  = - rid 

* 

e  — >  e 

Xx  :  r2.  e  -4  Xx  :  r2.  e  by  rid 


Case:  V  = 


rstep 


V\  ::  Xx  :  T2 .  e"  —4  Xx  :  T2.  e' 
V2  Xx  :  72-  e  44  \x  :  72.  e" 
Q  ::  Xx  :  72 .  e  -4  Xx  :  72.  e' 


2.  Case:  V  = - rid 

* 

ei  — >  ej 
e\  e2  — >  ei  e2 


Case:  V  = 


Vf 


ei 


rstep 


by  i.h.(l)  on  V" 
by  rlam  on  V 
by  rstep  on  V2,  V\ 


by  rid 
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Vx  ::  e'{  e2  ^4  e\  e2 
V2  ::  e\  e2  —4  e"  e2 
Q  '■■■  e,  e2  — >  ex  e2 


3.  Case:  V  = - rid 

e2  —4  e2 

ei  e2  — ►  ei  e2 


Case:  T>  = 


V  V" 


rstep 


Vx  : 

:  ei  e" 

* 

— >  e\ 

e2 

Vi  : 

:  ei  e2 

1 

— >  e\ 

4 

Q  ■■■ 

ei  e2  - 

1 

— >  e\  < 

4 

by  i.h.(2)  on  V" 
by  rappj  on  Vf 
by  rstep  on  V\ ,  V2 


by  rid 


by  i.h.(3)  on  Vn 
by  rapp2  on  Vf 
by  rstep  on  V\ ,  V> 


□ 


We  observe,  that  we  have  used  the  same  principles  for  the  proof  of  Lemma  3.2  as  we  did  to 
prove  Lemma  3.1.  In  some  sense,  the  third  operation  is  slightly  more  general  than  before.  In 
the  proof  of  Lemma  3.1  only  one  rule  of  the  inference  system  is  used  to  construct  the  existential 
derivation,  whereas  here  several  are  used.  In  summary,  we  have  discovered  three  recurring  proof 
principles: 

1.  Appeals  to  the  induction  hypothesis  to  smaller  derivations  according  to  some  well-founded 
ordering  on  derivations 

2.  Case  analysis  over  the  last  applied  rule  of  a  derivation. 

3.  Construction  of  desired  derivations  from  other  rules,  assumed  derivations,  and  result 
derivations  of  appeals  to  the  induction  hypothesis. 

These  three  proof  principles  correspond  directly  to  operations  which  are  implemented  in  the 
automated  theorem  prover  described  in  Chapter  8. 

3.2.2  Parallel  Reduction 

In  order  to  prove  the  Church-Rosser  theorem  for  ordinary  reduction  from  Section  2.2  we  follow 
an  idea  of  Martin-Lof  and  Tait  (see  [Bar80])  and  use  the  method  of  parallel  reduction.  This 
method  is  based  the  following  fundamental  idea:  Instead  of  reducing  one  /?-redex  after  the  other 
in  sequence  as  with  ordinary  reduction,  parallel  reduction  is  defined  in  a  way  that  several  ft- 
redices  may  be  reduced  simultaneously.  The  reduction  relation  is  defined  by  the  following  three 
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rules. 


(Aa;:r.ei)e2  =4  e'^/x] 


Xx  :  r.e  =A  Xx  :  r.e' 


The  rules  pbeta  and  piam  are  hypothetical  because  they  discharge  the  assumption  labeled 
u.  This  is  one  of  the  crucial  differences  between  this  kind  of  reduction  and  ordinary  reduction: 
With  ordinary  reductions,  variables  were  never  reduced  whereas  here  they  are.  In  fact  they 
reduce  to  themselves.  Reasoning  with  assumptions  has  consequences  makes  the  formulation  of 
lemmas  and  theorems  more  difficult;  “X>  is  a  parallel  reduction  from  e  to  efn  is  a  rather  imprecise 
statement  because  nothing  is  said  about  the  context  in  which  this  statement  is  supposed  to  be 
true.  Since  automated  proof  construction  is  the  goal  of  this  thesis,  we  have  to  be  painstakingly 
precise.  We  say  that  “V  is  a  closed  parallel  reduction  from  e  to  e'”  if  this  statement  does  not 
rely  on  any  other  additional  assumptions.  On  the  other  hand,  we  say  that  UV  is  a  open  parallel 
reduction  from  e  to  eh\  if  the  context  is  not  necessarily  empty.  In  this  situation,  e,e'  may 
contain  variables  aq,  ...,xn  each  of  which  reduces  to  itself:  => 

Following  the  example  of  ordinary  reductions,  we  generalize  the  single-step  parallel  reduction 
relation  (that  may  execute  several  /3-reduction  steps  simultaneously)  to  a  multi-step  parallel 
reduction  relation  and  for  which  we  write  e  e*  if  e  parallel  reduces  in  several  steps  to  er. 


e  =U  e'  e' 


Next,  we  define  the  notion  of  parallel  conversion  between  two  terms  e  and  e'  .  Intuitively, 
parallel  conversion  generalizes  the  multi-step  parallel  reduction  relation  in  the  same  way  as 
ordinary  conversion  generalizes  the  ordinary  reduction  relation  (see  Section  2.2).  We  write 
e  e',  if  there  exists  a  sequence  of  intermediate  terms  ei, . . . ,  en,  s.t. 


e~e\ 


keeping  in  mind  that  is  not  a  new  reduction  relation  but  simply  an  alternative  visual 

presentation  of  =>  . 


ptrans 


Applying  the  techniques  presented  in  the  previous  chapter,  we  can  now  give  an  LF  signature 
in  Figure  3.1,  which  is  an  adequate  encoding  the  three  parallel  reduction  rules  introduced  in 
this  section. 

Lemma  3.3  (Adequacy  of  the  presentation  of  parallel  reduction) 
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pbeta 


papp 


plain 


pid 


pstep 


pexp 


ptrans 


term  T  — >  term  T  — >•  type. 

(Tlx  :  term  T.x  =>  x  — >  e\  x  e\  x) 

l  , 

—>  e-2  =>  e2 

->  (app  (lam  ei)  62)  =U>  e'j  e'2 
1  / 

ei  =>  e1 

1  , 

e-2  =>  e2 

(app  ej  e2)  =^>  (app  e\  e'2) 

(lire  :  term  T.x  =>  x  — >  e  x  ==>  e'  x) 
lam  e  ==>  lam  c' 


term  T  — >  term  T  — >  type 


* 


term  T  — >  term  T  -*  type 
,,  -JU 


— >  c 

* .  / 
e  =>  e 


e 


e  e 


e 

Jl 


Figure  3.1:  LF  encoding  of  parallel  reduction  and  parallel  conversion  (extends  Figure  2.2) 

1.  If  V  ::  e  1  ==>  02  which  m,a,y  rely  on  assumptions  of  the  form,  X\  ::  term,  T\ ,  u j  ::  j  ==> 
xi,...,xn  ::  term ;  rn,w„  ::  then  rV~]  :  re\~]  ^=>  rC2n  which  possibly  contains 

variables  of  the  form .  X\  :  term,  rr\~})U\  :  .7q  aq, . . . ,  .t„  :  term  rrn~]7uJ}  :  ,rn  j;n. 

,2.  If  D  :  rein  — ^  re2n  is  canonical  possibly  containing  variables  of  the  form  x\  : 

term  rTin,ui  :  .xi  .7:1, . . .  ,®n  :  term,  rrn"l,Mn  :  .r7?  xr)7  then  D  =  rV~]  where 

V  ::  ej  — e2  which  m,a,y  rely  on  assumptions  of  the  form,  x\  ::  term  T\,U[  ::  .7:1 
&l, . . . ,  a?n  ::  term  rn,  un  ::  :cn  ==>  ,7;„ 


3.2.3  Properties  of  Parallel  Reduction 

In  this  section  we  show  the  Church-Rosser  theorem  for  parallel  reduction.  The  theorems  and 
proofs  in  this  section  are  particularly  important  especially  for  the  subsequent  chapters,  because 
they  reveal  the  issues  associated  with  reasoning  about  open  derivations,  that  is,  derivations 
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which  my  be  valid  in  terms  of  additional  assumption.  Recall,  that  we  call  a  derivation  closed,  if 
no  additional  assumptions  are  used. 

Used  in  the  proof  of  one  of  the  subsequent  lemmas  is  the  property,  that  the  parallel  reduction 
relation  is  reflexive.  What  we  want  to  show  is  that  for  every  term  e,  there  exists  a  reduction 
Q  ::  e  e.  In  a  first  proof  attempt  one  may  assume  that  e  is  closed. 

Lemma  3.4  (Reflexivity  of  ,  Version  I)  For  any  closed  term  e,  e  e. 

This  lemma  is  not  directly  provable  in  its  current  formulation  by  structural  induction.  To  see 
why  consider  the  case  that  e’s  outermost  constructor  is  an  abstraction  and  not  an  application. 
e  has  hence  the  form 

- -  x 

term  t\ 

ef 

term  T2 

- lam* 

term  (r\  — >  72) 

And  indeed,  the  induction  hypothesis  is  not  general  enough  to  conclude  that  e'  e'. 

Obviously  e'  must  be  closed  for  the  induction  hypothesis  to  apply,  but  it  is  not.  Therefore  we 
must  generalize  the  induction  hypothesis  in  such  a  way,  that  it  also  applies  to  open  terms  e.  In 
the  second  attempt  we  try  the  obvious:  e  can  also  depend  on  variables  x\  ::  term  ti,  . . .  ,xn  :: 
term  rn: 

A 

Lemma  3.4  (Reflexivity  of  ==>►  ,  Version  II)  For  any  term  e,  which  is  open  in  the  sense 

that  it  may  depend  on  assumptions  x\  ::  term  ti,  ...  ,xn  ::  term  rn,  there  exists  a  derivation  of 
1 

e  =>  e. 

Strangely  enough,  this  formulation  of  the  lemma  is  still  not  general  enough!  To  see  why, 
consider  e  =  Xf.  The  lemma  should  yield  that  X{  ===>  x^  but  how?  There  is  no  rule  from  the 
signature  we  could  apply  and  there  are  no  assumptions  X{  ==>  x\.  The  solution  to  the  problem  is 
to  treat  the  reduction  rules  X{  X{  in  the  same  way  as  we  treat  assumptions.  We  must  set  the 
stage  in  such  a  way,  that  in  addition  to  the  parameter  assumptions  x\  ::  term  n, . . . ,  xn  ::  term  rn 
also  the  following  assumptions 

- U\  - un 

1  * ' ‘  1' 

X\  /  X\  xn  — xn 

are  available  which  we  as  usual  abbreviate  as  list  by  u\  ::  x\  x\, . . . ,  un  ::  xn  xn.  For 
a  better  conceptual  understanding  we  pair  the  declaration  of  X{  and  the  correspond  assumption 
u\.  Not  too  surprisingly  any  more,  the  reflexivity  lemma  is  now  provable  in  this  generality. 

.4 

Lemma  3.4  (Reflexivity  of  ,  Version  III)  Consider  the  situation  where  a  list  of  the 
following  assumptions  is  present 

X\  ::  term  ti,  u\  ::  x\  ==>  X\ , . . . ,  xn  ::  term  rn,  un  ::  xn  =>  xn 

Then  for  any  well-typed  term  e,  there  exists  a  derivation  of  e  e. 
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Proof:  by  structural  induction  on  e: 

Case:  e  = - x,- 

term  r} 

1 

m  ::x{  =^>  X{ 


by  assumption 


- Xn  +  l 

term  r\ 
e! 

term  r 2 

Case:  e  — - \amXv+l 

term  (tj  — >  T2) 

Assume  x7l+i  ::  term  tl 
Assume  ::  xn+i  xn+i 

V  ::  er  =>  e'  by  i.h.  on  ef 

Q  ::  Axn+i  :  term  Tj.e'  Ax?)+i  :  term  rj.e'  by  rule  plam  on  P 


Case: 


e\ 

term  (r2  — >•  t\) 

e  = - : - 

term  n 


e2 

term  r2 

- app 


V\  ::  ej  ej 
V2  ^2  =>•  C2 
Q  ::  app  ej  e2  app  e\  e2 


by  i.h.  on  e\ 
by  i.h.  on  e2 
by  rule  papp  on  V\^Vi 


□ 

Note,  that  the  proof  works  only  in  the  situation  where  we  have  exactly  the  assumptions 
xi,  ui,  ...,xn,  un  if  we  ignore  unrelated  assumptions  for  now.  If  there  are  more,  the  proof  is  not 
a  proof:  some  cases  may  not  be  covered.  If  there  are  less,  the  induction  hypothesis  might  not 
be  applicable.  Without  making  it  really  precise,  we  want  the  reader  to  notice  that  the  list  of 
assumptions  is  very  regular  in  structure.  It  is  made  out  of  basic  building  blocks  of  the  form: 

p  x  ::  term  r,  u  ::  x  x  where  r  is  some  type  (3.1) 

and  the  assumption  lists  can  be  inductively  described  by 

::=  .  | 

where  variables  x,  u  are  a-converted  to  avoid  duplicates.  If  we  refer  to  the  LF  signature  as  a 
static  description  of  the  world  that  summarizes  all  inference  rules,  is  a  dynamic  extension 
of  the  world  because  it  introduces  new  parameters.  In  addition,  the  proof  of  Lemma  3.4  also 
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motivates  a  new  meta- proving  operation;  in  the  case  of  iam  we  extend  the  current  world  by  two 
new  parameters  xn+i  and  un+ 1.  All  other  proof  principles  used  in  this  proof  have  already  been 
discussed. 

When  reasoning  informally  about  deductive  systems,  these  assumptions  stay  in  general  hid¬ 
den.  Their  regularity  is  tremendously  important  in  this  work,  and  it  is  thoroughly  analyzed  and 
formalized  in  Chapter  4.  Lemma  3.4  is  an  explicit  version  of  Lemma  3  in  [Pfe93]. 

Following  the  sequence  of  lemmas  presented  in  [Pfe93],  we  generalize  each  lemma  to  the 
appropriate  level  of  detail  in  order  to  motivate  the  design  of  our  system  in  Chapter  4.  The 
transitivity  lemma  for  parallel  reductions  for  example  is  provable  in  a  setting  where  V  ::  e  =>  e; 
are  closed,  which  raises  the  question  if  this  is  general  enough?  In  other  words,  the  degree  of 
generality  of  a  lemma  does  not  only  depend  on  its  proof,  but  it  also  depends  on  the  generality 
of  the  lemma  for  where  it  is  used.  A  transitivity  property  for  closed  derivations  cannot  be 
applied  to  derivations  which  are  open.  On  the  one  hand,  this  sounds  trivial,  but  on  the  other, 
there  is  a  whole  theory  of  which  proof  can  appeal  to  what  lemma,  which  we  discuss  in  detail  in 
Section  5.7.2.  Nevertheless,  we  prove  this  lemma  in  more  generality.  For  all  the  proofs  following 
below,  we  let  4>  describe  dynamic  extensions  to  the  world,  as  defined  above. 

$  =  X\  ::  term  T\,u\  ::  X\  aq, . . .  ,xn  ::  term  rn,un  ::  xn  xn 

Lemma  3.5  (Transitivity  of  )  Let  $  be  the  dynamic  extension  of  the  world.  If  V\  :: 
e  =>  ef  and  ::  e*  en  are  closed  then  e  =4>  e" . 

Proof:  by  structural  induction  over  V\: 

Case:  V\  = - u 


I>2  ::  x 


by  assumption 


Case:  V\~- 

e 


—  pid 

e 


V 2  ::  e 


by  assumption 


Case:  Xfi  — 


pstep 


V  ::  etn  =S»  ej 
Q  ::  e  e" 


by  i.h.  on  P",  V 2 
by  pstep  on  V[,V 


□ 
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The  following  sequence  of  lemmas  leads  to  the  main  result  of  this  section:  the  parallel 
reduction  relation  possesses  the  Church-Rosser  property.  We  present  the  lemmas  in  the  same 
sequence  as  in  [Pfe93],  but  enrich  the  formulation  by  information  if  the  derivations  are  closed, 
or  if  they  are  open. 


Lemma  3.6  (Substitution  lemma)  Let  4>  be  the  dynamic  extension  of  the  world .  If 

- v 

y  =>  y 
v 


and,  £  ::  e>2  =>  ef2  then  exists  a  reduction  ei[e2 /y\  ==>  e\[ct 2/?y]. 


Proof:  by  structural  induction  on  V . 


Case:  V  — 

x 


u 


X 


(where  x  ::  term  r,  u  ::  x  x  £  and  x  ^  y) 


£  ::  x 


x 


by  assumption 


Case:  V  =  } 

y  =>  y 

C  1  / 

£  ::  e2  e2 


by  assumption 


Vx  V2 

i .  /  i ,  / 

e3  =>  e3  e4  =>  e4 

Case:  V  =  j  pbeta" 

(Xx  :  r.e3)  e4  =>  e^/a;] 

Extend  <I>  by  x  ::  term  t,u  ::  x  ==-  x  to  ,I|/ 

::  e3[e2/?y]  =^>  e(j[eJ>/y] 

V2  ::  e4[e2/y]  =4  e^[e2/y] 

Q::  (Xx:  r.e3[e2/y])  e4[e2/y]  =4  e^/y^e^/y]/.?:] 
Q  ::  ((Az  :  r.e3)  e4)[e2/y]  =4  (e^e'J x})[e'2/y] 


by  i.h.  on  in  4>' 
by  i.h.  on  T>2  in 
by  rule  pbetaw  on  V\ ,  P2 
by  Definition  substitution 


- u 

1 

£  =4>  j; 

Vi 

e  =U>  e' 


Case:  X>  = 


A.t  :  r.e  A.t  :  r.e' 


plam" 
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Extend  <E>  by  x  ::  term  t,u  ::  x  =>■  x  to  4>' 
Vi  ::  e[e2/y]  =4-  e'[e'2/y] 

Q  ::  Xx  :  r.e[e2/y]  ==>■  Xx  :  T.e'[e'2/y] 

Q  ::  (Xx  :  r.e)[e2/y ]  (Arc  :  T.e')[e'2/y\ 


T>i  V 2 

e3  =>  e3  e4  =>  e\ 

Case:  V  =  ‘  '  '  papp 

e.3  e4  ==>  e3  e4 

Vi  ::  e3[e2/y]  =U  e'3[e'2/y] 

V2  "  e4[e2/y]  =4  e^/y] 

G  "  (e3[e2/yj)  (e4[e2/y]>  (e3[e^/y])  (e^/y]) 

Q  ::  (e3  e4)[e2/y]  (e'g  e£)[e'2/y] 


by  i.h.  on  V\  in  4>' 
by  rule  plamw  on  V\ 
by  Definition  substitution 


by  i.h.  on  V\  in  $ 
by  i.h.  on  V2  in  $ 
by  rule  papp  on  V\,V2 
by  definition  substitution 


□ 

By  careful  inspection  we  can  determine  that  the  only  four  proof  principles  used  in  this  proof  are 
case  analysis,  appeals  to  the  induction  hypothesis,  construction  of  witness  objects  from  rules 
and  assumptions,  and  dynamic  extensions  of  the  world.  We  continue  this  presentation  with  the 
proof  of  the  diamond  lemma  for  parallel  reduction  which  shows  clearly  how  difficult  it  is  to  argue 
that  all  cases  are  covered. 

Lemma  3.7  (Diamond  lemma)  Let  be  the  dynamic  extension  of  the  world .  If  T>1  ::  e 

el  and  Vr  ::  e  =>  er  then,  there  exists  a  common  reduct  ef,  such  that  1Z1  ::  el  ef  and 

TZr  ::  er  e'. 


■R1  ■ 


<Dr 

y 

nr 


V 


Proof:  by  simultaneous  structural  induction  over  V1  and  Vr . 


Case:  X> 


x  =>  x 


■  u 


VT  =  ■ 


■  u 


(where  x  ::  term  r,u  ::  x  x  €  <J>) 


x  x 


e  —  x 

nl  =  nr  =  u 


by  assumption 
by  assumption 
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x 


X 


u 


X 


V 


VL 


e\ 


e2 


er, 


Case:  V1  — 


(A.t  :  r.ei)  e2 


e\  [el2/x] 


pbeta*' 


x 


e\ 


V\ 


Vr  = 


V\ 


e-2 


{Xx  :  r.e  i )  e-2 


pbeta" 


Extend  4>  by  x  :  term  r,u  ::  x 
There  exists  an  e\ 

Vi  ::  e\  =U  e\ 


x  to 


V2  ::  el  e\ 

There  exists  an  e2 
Q\  ■■  el2  e'2 
Q2  -  e2  =U  e'2 


by  i.h.  on  V\,V[  in  <!>' 


by  i.h.  on  T>2.V2  in  4> 


Ui  ::  e[[el2/x\  =4  e\[e'2/x ] 
V2  ::  e\[e'2/x]  =^>  e\[e’2/x} 


by  Lemma  3.6  on  Pi,  Qj 
by  Lemma  3.6  on  V2 ,  Q2 


(A.r  :  r.ei)  62 


ei[4/*]  ei  [e2/:r] 


e'Je'a/a;] 


48 


CHAPTER  3.  REASONING 


Case: 


V[  V\ 

1  l  1  ,  l 

ci  ■  ■  y  62  ■■  s*  ^2 

(Ax  :  r.e  1)  e2  eife^/x] 


pbeta^ 


Ax  :  r.ei 


(A#  :  r.ei)  e2 


Ax  :  r.ei  Ax  :  r.ef 
=  Ax  :  r.e'f 

Extend  $  by  x  :  term  r,  u  ::  x 
There  exists  a 

^  ::  e'  =4  e[ 

V2  ::  e'/'  e\ 

There  exists  a  e2 

Qi  ::  e2  e2 
Q2  "  er2  =4  e'2 


x  to  4>' 


by  inversion  on  X>[ 


by  i.h.  on  T>[,V'{  in 


by  i.h.  on  Vl2,V2  in  $ 


::  e\[el2/x\  =U  e\[e'2lx] 

TZ>  ::  (Ax  :  T.e'{)  e2  ==>  ei[e2 /^l 


by  Lemma  3.6  on  Pi,  Qi 
by  rule  pbeta  on  V2  and  Q2 


(Xx  :  r.ei)  e2 


e\[e2/x]  (Xx  :  r.e'{)  e2 


ei[e'2/z] 
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Case: 


x  =>  x 
V[ 

1  v  l 

(x  - - r> 


V'  = 


Xx  :  r.e  =4  Xx  :  r.e' 


V\ 


plam"  dt  — 


plam“ 


Xx  :  r.e 


Xx  :  T.cJ 


Extend  by  x  :  term  t,u  ::  x  -=>  x  to 
There  exists  a  e’ 

V\  ::  el  =4  e' 

V2  ::  er  =4  e' 


by  i.h.  on  V\ ,  V\  in  $' 


e 


1Z\  ::  \x  :  r.e1  Xx  :  r.e! 

n2  ::  Xx  :  r.er  A.r  :  r.e' 


by  plain™  on  Pi 
by  plam™  on  P2 


Xx  :  r.e 


A:/:  :  r.e' 


Case: 


Xx  :  r.ei 


v!2 

i  / 
e2  =>  el2 


V1  = 


(A.r  :  r.ei)  e2  e*  e^ 


papp  pr  _ 


:r 


ei 


x 


V\ 


vr2 


e2 


{Xx  :  r.ei)  e2 


pbeta*J 


H  F2/ 


u 


X  =>  x 
V/ 


ei 


P'/ 

_J_V  Jl 


vl  = 


plam™ 


A.r  :  r.ei  =>  A.r  :  r.e'/ 
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e\  =  Xx  :  r.e'l 

Extend  $  by  x  :  term  r,u  ::  x 
There  exists  a  e\ 

Vx  ::  e'j  4  ei 

P2  "  ej  =4  e[ 

There  exists  a  e2 

Qi  ::  e2  4  ei 


x  to 


Q2  :: 


by  inversion  on  T>\ 


by  i.h.  on  Vj,  V[  in 


by  i.h.  on  in  $ 


Tlx  ::  (Xx  :  r.e'l)  4  =4  4  [44] 

K2 e\[er2/x]  =4  e\ \e'2 /•%'] 


by  rule  pbeta  on  V\  and  Qx 
by  Lemma  3.6  on  V2 ,  Q2 


(Xx  :  r.e  1)  e2 

V1/  \vr 


(Xx  :  r.e'l)  4 

k\ 

4144] 


4[44] 


Case: 


v[ 

ei  4 


£>2 


^2 


e2 


4  = 


ei  e2 


J  J 
el  e2 


papp  pr  __ 


61 


^2 


papp 


61  e2 


T  T 
6l  62 


There  exists  a  e[ 

Vi  ::e[  4-  e'x 

P2  ::  ej  4  ei 
There  exists  a  e2 

Qi  ::  e2  e2 
Q2  ::  4  4  e' 


by  i.h.  on  T>[,V1[  in  $ 
by  i.h.  on  P2,P2  in  $ 
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TZi  ::  e[  e2  ==>  e[  e2 
n2-.:e\e?2  =4  e\  e'2 


by  papp  on  Vu  Qi 
by  papp  on  V2,  Q-i 


ei  e-2 


□ 


The  proof  of  the  diamond  lemma  introduces  two  new  proof  principles.  First  we  use  inversion 
in  the  third  and  the  sixth  case  of  the  proof,  and  second  we  repeatedly  appeal  to  the  substitution 
Lemma  3.6.  Conceptually,  inversion  is  a  new  operation,  but  technically,  it  is  nothing  else  but 
a  special  form  of  case  analysis.  Given  a  derivation  of  some  judgment  cases  can  be  analyzed 
according  to  the  last  applied  rule,  and  if  the  last  rule  application  is  uniquely  determined,  case 
analysis  is  called  commonly  called  inversion;  in  practice  however  inversion  need  not  to  be  unique. 
One  of  these  examples  is  the  cut-elimination  theorem  for  the  sequent  calculus  of  first-order 
intuitionistic  logic  [Pfe95]. 

The  second  proof  principle  is  lemma  application;  it  is  very  important  since  it  allows  the 
programming  language  and  logic  designers  to  stage  their  development  into  tasks  of  appropriate 
size. 

Continuing  in  the  development  of  the  Church-Rosser  theorem  for  parallel  reduction,  we 
present  three  more  lemmas,  which  generalize  the  diamond  Lemma  3.7  to  parallel  multi-step 
reduction  and  parallel  conversion.  We  give  the  proofs  explicitly,  in  order  to  have  an  extended 
set  of  examples  necessary  in  the  subsequent  chapters  of  this  thesis.  Alternatively,  the  interested 
user  may  want  to  consult  [Pfe93]  for  a  more  detailed  presentation. 

Lemma  3.8  (Strip  lemma)  Let  $  be  the  dynamic  extension  of  the  world.  If  V1  ::  e  el 

and  Vr  ::  e  =>  er  then  there  exists  a  common  redact  ef,  such  that  7Z\  we1  =4>  e!  and 
K2  ::  er  =U  e'. 


52 


CHAPTER  3.  REASONING 


53 


Proof:  by  structural  induction  on  Vr 

Case:  Vr  = - pid 

* 

e  e 

TZi  ::  el  =U  el 
IZ2  =  T>i  ::  e  =^>  el 


by  pid 
by  assumption 


Case:  Vr  = - 

e 


There  exists  a  e[ 
Vx  ::  el  e[ 
V2  ::  e\  =U  e[ 
There  exists  a  e'2 
P3  ::  ei  4 

7Z2  ::  er  =U  e'2 


e 


by  Lemma  3.7  on  Vl,V[  in  <f> 


by  i.h.  on  V2,'D72  in  <f> 


□ 

A  further  generalization  yields  the  confluence  lemma:  The  left  reduction  step  is  being  gen¬ 
eralized  to  a  multi-step  reduction. 
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Lemma  3.9  (Confluence  lemma)  Let  $  be  the  dynamic  extension  of  the  world.  If  V1  :: 
e  =4  el  and  Vr  ::  e  =4  er  then  there  exists  a  common  reduct  e' ,  such  that  IZ\  ::  el  =4  e! 
and  IZ‘2  ::  er  =4  e'. 

e 


Proof:  by  structural  induction  on  T> 
Case:  V1  = - P'd 


* 


€ 


e 


nx:e  er 
U2:er  er 


by  assumption  Vr 
by  rule  pid 


e 


There  exists  a  e\ 

-P i  "  A  A 
V2  ::  er  =4  e[ 

There  exists  a  e2 
Tlx  "  el  ^  e'2 
V,  ::  el  e2 


by  Lemma  3.8  on  V[ ,  Vr  in  $ 
by  i.h.  on  V2,V\  in 


e 


l 


e 


e 


r 
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U2  ::  er 


e2 


by  rule  pstep  on  Vs 


□ 


All  is  prepared  to  prove  the  Church- Rosser  theorem  for  parallel  reduction. 

Theorem  3.10  (Church- Rosser)  Let  $  be  the  dynamic  extension  of  the  world .  IfV  ::  el 
er  then  there  exists  a  common  reduct  ef,  such  that  1Z\  ::  el  ef  and  1Z2  ::  er  ====>  ef . 


*  • 


•  * 


Proof:  by  structural  induction  on  V 


Case:  V  - - pred 


Hx  ::  el 
1Z2  ::  er 


e 


r 


e 


r 


Case:  D  = - pexp 

el  <^>  er 

Tlx  ::  el  el 

n2  ::  er  el 


Vx 

el 


V2 

g  . \ 


by  assumption  V\ 
by  rule  pid 


by  rule  pid 
by  assumption  V\ 


Case:  V  = 


i 


x 


ptrans 
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There  exists  a  e\ 
V i  ::  el  e\ 
V2  ::  e  e[ 
There  exists  a  e'2 
Vs  ::  e  - 
V\\\e  - 
There  exists  a  ef 
Q\  ::  e'  e' 
Q2  ::  e'2  ^  e' 


e2 

J 


by  i.h.  on  V\  in 


by  i.h.  on  T>2  in  $ 


by  Lemma  3.9  on  7 D2,Vs  hi  $ 


fti  ::  e'  =^>  e' 
U2  ::  e7'  e' 


by  Lemma  3.5  on  V\ ,  Q\ 
by  Lemma  3.5  on  Q'l 


□ 

This  concludes  the  presentation  of  meta-theoretic  results  for  parallel  reduction.  All  proofs 
so  far  have  exposed  five  basic  and  recurring  proof  principles.  In  order  to  prove  a  theorem  by 
induction,  different  cases  must  be  analyzed,  and  the  formulation  of  the  theorem  can  be  used  as 
induction  hypothesis,  as  long  as  the  argument  derivations  are  smaller  than  the  given  ones.  In  the 
area  of  inductive  theorem  proving  treated  as  one  operation  through  the  presence  of  induction 
principles,  it  is  treated  in  our  presentation  as  two  different  operations. 

New  derivations  must  be  constructed  from  already  known  to  exist  derivations  by  the  ap¬ 
plication  of  inference  rules.  This  proof  principle  constructs  witness  derivations  for  existential 
quantified  variables  using  assumptions  (also  from  3>),  and  inference  rules. 

If  the  induction  hypothesis  of  a  theorem  is  so  general  that  it  can  be  applied  to  open  terms 
(which  are  open  in  a  regular  world  extension  $),  new  parameters  can  be  dynamically  introduced 
into  the  proof  process.  And  last  but  not  least,  very  often  lemmas  are  needed  to  complete  a  proof. 
The  possibility  to  appeal  to  lemmas  is  crucial  in  any  interactive  proof  development  system. 

3.2.4  Equivalence  of  Parallel  and  Ordinary  Reduction 

The  Church-Rosser  property  for  parallel  reduction  is  proven.  But  what  about  the  Church-Rosser 
property  of  the  ordinary  reduction  relation?  We  proceed  by  showing  that  it  is  also  satisfied  for 
ordinary  reduction.  The  essential  idea  behind  the  proof  is  that  any  ordinary  reduction  can  be 
transformed  into  a  parallel  reduction  and  vice  versa. 
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Lemma  3.11  (Single-step  correspondence) 

1.  IfV  ::  el  er  then  e 

2.  If  V  ::  el  — U  er  then  e 

Proof:  by  structural  reduction  on  D(1),D(2).  For  the  detailed  proof,  see  [Pfe93],  Lemma  10, 
Lemma  11.  □ 

This  result  can  be  generalized  to  an  entire  sequence  of  reduction  steps.  Each  ordinary  multi- 
step  reduction  can  be  expressed  by  a  parallel  multi-step  reduction  and  vice  versa. 

Lemma  3.12  (Multi-step  correspondence)  V  ::  el  er  iff  IZ  ::  el  ==$■  er 

Proof:  by  structural  induction  on  V,  IZ,  respectively.  For  the  detailed  proof,  see  [Pfe93], 
Lemma  12.  □ 

The  conversion  rules  for  ordinary  reduction  do  not  correspond  directly  to  the  conversion 
rules  for  parallel  reduction.  For  example,  there  is  an  explicit  ordinary  symmetry  rule  rsymm, 
but  there  is  no  such  rule  in  the  parallel  case.  But  we  can  show  that  it  is  admissible. 

Lemma  3.13  (Symmetry)  IfV  ::  el  <==$■  er  then  IZ  ::  er  <==$>  el 

Proof:  by  structural  induction  on  V.  For  the  detailed  proof,  see  [Pfe93],  Lemma  14.  □ 

Using  this  result,  one  can  now  show  the  equivalence  of  ordinary  and  parallel  conversion. 

Lemma  3.14  (Conversion  correspondence) 

1.  If  V  ::  el  < — >  er  then  el  er 

2.  If  V  ::  el  <==>  er  then  el  < — >  er 

Proof:  by  structural  induction  on  V(1),V(2).  For  the  detailed  proof,  see  [Pfe93],  Lemma  13 
and  Lemma  15.  □ 

Now  it  is  obvious;  also  the  ordinary  reduction  relation  enjoys  the  Church-Rosser  property. 
Given  an  ordinary  conversion  derivation  between  two  terms  el  and  er,  Lemma  3.14  guarantees 
that  there  is  a  corresponding  parallel  conversion.  By  the  Church-Rosser  property  for  parallel 
reduction  3.10,  one  obtains  a  common  reduct  e',  and  two  parallel  reductions  Vi  and  Vr,  which 
can  easily  be  translated  back  into  ordinary  reductions. using  Lemma  3.14  twice. 

Theorem  3.15  (Church-Rosser  for  ordinary  reduction)  If  el  < — »  er  then  there  exists  a 
common  reduct  e' ,  s.t.  el  — %  e'  and  er  e' . 

Proof:  Direct.  For  the  detailed  proof,  see  [Pfe93],  Theorem  16.  □ 

When  studying  the  proofs  in  [Pfe93],  the  reader  will  notice  that  the  only  proof  principles 
used  are  the  ones  discussed  in  this  chapter. 
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3.3  Historical  Overview 

The  formalization  of  formal  theory  of  various  kinds  has  been  the  focus  of  attention  in  the 
automated  theorem  proving  and  proof  assistant  community  for  at  least  four  decades.  First  there 
were  general-purpose  theorem  provers  which  were  built  to  support  mathematicians  in  their  quest 
for  the  search  of  mathematical  truth.  Then  other  special-purpose  automated  theorem  proving 
techniques  have  been  invented,  developed,  and  established;  one  of  the  most  successful  techniques 
is  model-checking  [CGPOO]  which  has  proven  extremely  successful  not  only  in  the  academic 
environment  but  also  for  industrial  applications.  In  order  to  classify  the  work  presented  in  this 
thesis  as  a  special  purpose  automated  theorem  proving  system  for  the  development  of  the  meta¬ 
theory  of  deductive  systems,  we  attempt  to  give  a  brief  overview  over  previous  developments 
and  discuss  the  advantages  and  disadvantages  of  existing  theorem  proving  techniques. 

3.3.1  General-Purpose  Theorem  Provers 

The  work  by  Boyer  and  Moore  [BM79]  on  the  Nqtlnn  theorem  prover  has  triggered  a  whole 
research  program  concerned  with  the  automated  deduction  of  true  statements.  Even  though 
mainly  interested  in  reasoning  about  mathematical  truth,  this  theorem  prover  has  been  applied 
to  many  different  problems  domains  over  the  last  two  decades.  In  general,  formal  methods  and 
automated  deduction  techniques  have  found  numerous  applications  in  hardware  and  in  software 
design.  Based  on  quantifier-free  inductive  definitions,  Nqtlnn  reads  a  list  of  theorems  and  proofs 
and  tries  to  bridge  the  gaps  in  the  proofs  by  automatically  applying  small  reasoning  steps.  Only 
if  a  gap  is  too  big,  the  theorem  prover  complains  and  asks  the  developer  to  introduce  new 
lemmas.  Many  important  theorems  have  been  verified  using  Nqtlnn,  among  many  others,  the 
Church- Rosser  theorem  [Sha88],  and  Godel’s  incompleteness  theorem  [Sha94],  and  the  Ramsey 
theorem  [Kun95]. 

When  using  a  theorem  prover  like  Nqtlnn  for  the  development  of  the  Church-Rosser  theorem, 
the  user  is  required  to  encode  terms,  the  typing  relation,  and  all  reduction  relations  in  form 
of  quantifier- free  inductive  definitions.  Variables  for  example  must  represented  as  strings  or 
numbers,  substitutions  must  be  encoded  explicitly,  and  naturally  the  soundness  of  substitution 
application  must  be  proven  explicitly.  It  is  clearly  possible  to  use  Nqtlnn  as  a  theorem  prover 
to  tackle  this  task  (as  Shankar  has  demonstrated  [Sha88]),  but  the  restriction  to  quantifier- free 
inductive  definitions  puts  additional  burden  on  the  user’s  shoulders  to  implement  the  various 
variable  concepts,  capture  avoiding  substitutions,  and  to  prove  the  corresponding  substitution 
lemmas. 

Over  time,  many  techniques  have  been  developed  to  perform  efficient  proof  search  in  dif¬ 
ferent  logics,  ranging  from  classical,  over  intuitionistic  to  linear  logics  with  different  degrees  of 
expressiveness,  ranging  from  propositional  over  first-order  to  higher-order  logics.  Techniques, 
such  as  resolution  [Rob65],  paramodulation  [BGLS92],  or  the  inverse  method  [DMTV99]  have 
been  devised  to  facilitate  proof  search  in  various  calculi,  such  as  natural  deduction [Pra65],  the 
sequent  calculus  [Gen35],  the  tableaux  formulation  [Hah99],  or  the  intercalation  calculus  which 
is  a  specialized  formulation  of  the  natural  deduction  calculus  [SB98]  for  proof  search.  These 
techniques  are  tuned  to  conduct  efficient  proof  search  in  deductive  systems. 

Our  endeavor  however  lies  in  reasoning  about  deductive  systems.  Early  on,  it  has  been 
noticed  that  the  inductive  formalization  of  natural  numbers  is  directly  reflected  in  proofs  by 
mathematical  induction  [God90].  In  computer  science,  where  many  constructs  are  inductively 
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defined,  induction  has  presented  itself  as  a  very  valuable  tool  to  express  and  reason  about 
specifications  in  a  formal  way.  Thus,  many  theorem  provers  are  based  on  induction  and  inductive 
definitions  in  order  to  formalize  deductive  systems,  such  as  programming  languages  and  logics. 
In  fact,  induction  is  one  of  the  core  concepts  present  in  almost  every  proof  assistant,  such  as 
Isabelle  [Pau94],  Coq  [DFH+93],  Lego  [LP92],  and  PVS  [ORS92],  and  many  theorem  provers, 
such  as  INK  A  [HS96],  and  Nqthm  [BM79]. 

Unfortunately,  inductive  theorem  provers  are  limited  in  their  expressiveness.  In  fact,  by 
definition,  inductive  definitions  are  restricted  by  the  positivity  condition:  The  type  to  be  de¬ 
fined  can  only  occur  in  positive  positions  in  the  constructor  types.  This  means,  however,  that 
our  preferred  encoding  of  the  simply-typed  A-calculus,  which  relies  on  a  higher-order  encoding, 
cannot  be  expressed  using  standard  inductive  definitions.  The  argument  to  “lam”,  for  example, 
is  a  function  of  type  “term  ft\f  — >  term  rT2n”  which  clearly  violates  the  positivity  condition. 
Thus  none  of  the  presently  available  theorem  provers  supports  our  proposed  way  of  encoding 
the  Church-Rosser  theorem  (see  Section  3.2).  In  this  thesis  we  present  a  technique  that  al¬ 
lows  inductive  reasoning  over  deductive  systems  that  are  encoded  using  higher-order  induction 
techniques. 

Contrary  to  the  proof  strategy  presented  by  Nqthm,  almost  all  modern  theorem  provers 
have  adopted  a  tactic  based  proof  development  style  [Pau83].  The  inference  system  of  the 
logic  intrinsic  to  the  theorem  prover  consists  in  general  of  a  set  of  rules.  Given  the  current 
proof  goal,  it  is  the  user’s  responsibility,  to  apply  rules  in  the  correct  order.  But  in  many 
cases,  repeated  application  of  the  same  rule,  or  the  application  of  rules  in  a  particular  order 
becomes  necessary,  which  has  prompted  the  development  of  special  purpose  languages  to  express 
algorithms  executing  any  kind  of  rule  application.  These  algorithms  are  called  tactics  and  they 
simplify  the  theorem  proving  effort  tremendously.  The  application  of  a  tactic  can  either  succeed, 
leaving  the  user  with  a  new  (possible  empty)  set  of  subgoals,  or  fail  in  which  case  the  proof  goal 
remains  unchanged. 

The  work  that  is  presented  in  this  thesis  does  not  take  advantage  of  recent  advances  in 
tactic  theorem  prover.  But  we  recognize  that  this  work  can  profit  from  techniques  such  as  proof 
planning  [BSvH+93]  and  lemma  generalization  [FH94]. 

3.3.2  Special-Purpose  Theorem  Provers 

Besides  general-purpose  theorem  provers  which  are  designed  to  to  tackle  any  problem  expressible 
in  mathematics,  there  are  theorem  provers  that  are  designed  to  serve  a  special  purpose.  In 
hardware  verification,  for  example,  many  circuits  can  be  described  by  finite  state  automata. 
Specifically,  the  technique  of  model  checking  allows  to  verify  a  piece  of  hardware  (or  better  its 
model)  against  a  given  specification  by  means  of  a  complete  state  space  traversal.  In  general, 
the  languages  used  to  express  those  specifications  are  typically  temporal  logics.  The  interested 
reader  might  consult  [CGPOO]  for  a  detailed  discussion.  If  any  of  the  states  does  not  satisfy 
the  specification,  the  model  checking  algorithm  fails  and  may  report  a  counter  example  that 
gives  the  hardware  designer  insight  into  the  cause  of  failure.  Model  checking  is  tremendously 
successful  because  it  serves  a  special  and  relevant  purpose  and  it  guarantees  a  high  degree  of 
automation. 

Other  special-purpose  theorem  proving  techniques  are  based  on  rewriting  [HO80]  and  geom¬ 
etry.  In  rewriting  important  decision  procedures  have  been  developed  in  order  to  decide  if  two 
terms  are  equal  modulo  a  set  of  equalities.  Clearly,  this  decision  procedure  is  a  special  purpose 
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theorem  proving  technique.  Special  purpose  decision  procedures  have  also  been  developed  to 
reason  quickly  about  geometry,  for  example  by  using  Grobner  bases  [Kap98]. 

It  is  very  difficult  (even  though  possible)  to  represent  and  reason  about  a  model- checking 
problem  in  a  general-purpose  theorem  prover.  Almost  certainly,  since  the  overhead  is  enor¬ 
mous,  this  technology  would  probably  not  been  as  widely  accepted  as  model-checking  is  today. 
Therefore  we  argue  in  favor  of  special  purpose  techniques  to  augment  general  purpose  theorem 
provers.  In  particular,  general  purpose  theorem  provers  only  offer  a  restricted  set  of  operators 
for  specification  and  reasoning;  therefore  in  order  to  use  other  operators,  auxiliary  constructions 
are  mandatory.  For  example,  in  order  to  use  a  general  purpose  theorem  prover  to  express  a  fi¬ 
nite  state  traversal  problem,  one  has  to  encode  the  reachability  relation  between  states  explicitly 
whereas  it  is  implicit  when  using  a  model  checker  like  SMV  [CGP00]. 

In  this  sense,  the  meta-theorem  prover  which  we  develop  in  the  next  few  chapters  is  a  special 
purpose  theorem  prover.  The  technology  presented  in  this  thesis  does  not  provide  a  new  approach 
to  general  purpose  theorem  proving,  on  the  contrary,  it  delivers  special  purpose  theorem  proving 
technology  for  the  use  of  higher-order  encodings.  Proofs  found  by  our  meta-theorem  prover  can 
be  transformed  into  proofs  of  a  general  purpose  theorem  prover.  In  fact,  in  Section  9.1.4,  we 
discuss  the  possibility  of  translating  our  meta-proofs  into  proofs  parsable  and  understandable 
by  other  theorem  provers,  such  as  Lego  or  Isabelle. 

3.4  Summary 

In  this  chapter  we  have  presented  a  detailed  proof  of  the  Churcli-Rosser  theorem  for  the  simply- 
typed  A-calculus,  and  have  characterized  five  basic*  and  over  and  over  recurring  proof  principles: 

1.  Case  analysis  of  the  last  applied  inference  rule  of  a  given  derivation.  The  proof  obligation 
is  split  into  several  new  cases. 

2.  The  construction  of  one  or  several  witness  derivations  for  one  ore  several  existentially 
quantified  judgments.  This  operation  closes  a  proof  obligation. 

3.  During  a  proof  an  appeal  to  the  induction  hypothesis  may  be  invoked. 

4.  The  development  of  a  theory  consists  of  a  sequence  of  lemmas,  where  each  lemma  must 
be  a  derivable  consequence  from  previous  ones. 

5.  The  proof  may  be  hypothetical,  that  means  that  the  derivations  may  be  valid  in  a  regular 
extension  of  the  current  world.  The  world  may  be  dynamically  extended  during  the  course 
of  a  proof. 

All  proofs  in  this  chapter  are  composed  of  a  sequence  of  these  basic  operations,  which  should 
leave  the  reader  with  the  following  impression:  The  proofs  themselves  are  not  particularly 
difficult  but  they  are  tedious.  The  most  difficult  problem  is  to  express  the  induction  hypothesis 
in  appropriate  generality  —  that  is  the  formulation  of  the  theorem  itself.  In  addition,  we  note 
that  all  theorems  of  this  section  can  be  expressed  as  L^-formulas. 

As  opposed  to  traditional  theorem  proving  techniques,  which  are  concerned  with  reasoning 
in  a  deductive  system  —  a  calculus  for  some  logic  —  our  goal  is  to  reason  about  deductive 
systems.  In  the  further  development  of  this  thesis,  we  will  use  some  techniques  from  the  former, 
but  the  overall  emphasis  of  this  thesis  is  the  technology  to  accomplish  the  latter.  In  addition, 
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we  strongly  believe  that  in  the  formal  development  of  programming  languages  and  logics,  the 
contributions  of  this  work  are  very  important  since  they  help  to  verify  and  automatically  prove 
many  of  the  properties  of  deductive  systems.  Furthermore,  we  strongly  believe,  that  such  a 
system  should  support  the  user  with  helpful  hints  of  how  to  improve  the  formulation  of  a  lemma 
or  a  theorem  in  the  case  of  failure. 

The  theorem  prover  and  its  theory,  which  is  presented  in  the  subsequent  chapters,  is  a  special 
purpose  theorem  prover:  it  owes  it  success  to  the  combination  of  elegant  higher-order  represen¬ 
tation  techniques,  and  proofs  by  cases  and  recursion.  But  in  other  respects,  it  is  quite  basic;  it 
only  takes  advantage  of  few  of  traditional  theorem  proving  techniques,  and  its  implementation 
could  largely  profit  from  applying  techniques,  such  as  the  inverse  method  [DMTV99],  focus¬ 
ing  [And92,  How98],  or  rippling[BSvH+93]  —  techniques  that  are  well-known  for  traditional 
systems. 
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Chapter  4 

Meta-Logical  Frameworks 


4.1  Introduction 

Logical  frameworks  are  powerful  (meta-) languages  that  support  encodings  of  a  large  variety  of 
deductive  systems,  including  deductive  systems  which  may  contain  side  conditions,  such  as  for 
example  the  Eigenvariable  condition  for  first-order  logic,  or  freshness  conditions  on  parameters 
in  programming  languages.  Object  languages  which  contain  a  variable  concept,  logics  which 
introduce  hypotheses,  and  rewrite  systems  which  dynamically  extend  the  local  rewrite  relation 
by  cases  for  newly  introduced  parameters  can  be  very  elegantly  represented  in  these  frameworks. 
For  example  in  LF,  the  adequacy  and  soundness  arguments  of  the  encoding  rely  on  the  fact  that 
canonical  form  exists  for  any  LF  object  including  those  of  functional  type  and  that  the  framework 
provides  dependent  types  (see  Section  2.4.4). 

Canonical  forms  are  inductively  defined  by  their  very  definition  in  LF.  In  particular,  canonical 
forms  of  functional  type  always  start  with  a  leading  prefix  of  A-abstractions.  We  have  argued  in 
Section  2.6  that  even  though  the  notion  of  operational  semantics  associated  with  LF  functions 
does  not  capture  definition  by  cases,  LF  is  an  ideal  candidate  for  adequately  encoding  deductive 
systems.  Clearly,  it  is  not  expressive  enough  to  formalize  function  manipulating  derivations  that 
need  to  be  defined  by  recursion  and  case  analysis.  In  this  thesis,  we  use  LF’s  function  space 
only  for  the  purpose  of  representation;  for  the  purpose  of  defining  functions  by  case  analysis  and 
recursion,  we  introduce  in  this  chapter  the  notion  of  a  recursive  function  space  that  is  defined 
in  terms  of  LF  objects  and  LF  types. 

There  is  a  very  deep  connection  between  the  recursive  function  space  and  standard  induction 
principles.  First  order  encodings  of  natural  numbers  for  example  possess  standard  induction 
principles  used  to  reason  about  natural  numbers.  More  specific,  the  induction  principle  expresses 
how  to  derive  property  P  for  all  natural  numbers  n. 

- u 

b  P(n) 


bP(0)  b  P(n  +  1) 
b  Vn.P(n) 


natincP 


Using  this  induction  principle  for  example,  we  can  argue  that  the  result  of  adding  any  number  to 
itself  is  even,  which  is  expressed  by  the  predicate  “even  (n)”.  Assuming  that  “even  (n)”  implies 
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“even  (n  +  2)”,  we  can  quickly  prove  that  the  formula  uV?i.even  (7?,  +  n)”. 


- a 

b  even  (n  +  n) 

- ev_z  - ev_ss 

b  even  (0  +  0)  b  even  (n  +  n  +  2)) 

b  Vn.even  (7?,  +  n) 


natind7' 


This  proof  contains  some  computational  content  that  can  be  summarized  by  a  recursive 
function  defined  by  cases.  Appeals  to  the  induction  hypothesis  correspond  to  recursive  calls  — 
given  that  there  is  an  appropriate  formalization  the  two  rules  ev_z  and  ev_ss  as  “evz”  and  “evss”, 
respectively. 


fun  double  0  —  evz 
|  double  (7?  +  1)  = 
let 

val  D  =  double  n 
in 

(evss  D) 

end 

It  has  been  noticed,  that  the  first-order  case  does  not  generalize  well  to  the  higher-order 
case.  As  our  example  shows,  the  main  reason  that  induction  principle  exists  is  that  we  can 
predict  the  form  of  a  natural  number.  It  is  either  0,  or  it  is  the  successor  of  a  some  other  natural 
number.  These  are  the  two  only  cases  to  be  considered,  there  are  no  other  constructors  for 
natural  numbers.  The  justification  of  the  soundness  of  this  induction  principle  relies  on  the 
general  assumption  of  the  world:  It  is  assumed  to  be  closed.  Only  if  it  is,  it  can  be  argued  that 
the  induction  principle  covers  all  cases.  Correspondingly,  it  is  easy  to  see  that  double  covers 
all  cases.  In  addition  it  is  terminating,  which  makes  it  a  realizer  for  the  proof  given  above. 

If  the  definition  of  natural  number  were  open-ended,  this  particular  induction  principle  is 
not  sound.  Thus,  in  order  to  make  the  closed  world  assumption  explicit,  we  take  the  freedom 
and  augment  the  induction  schema  with  a  representing  that  the  world  is  closed. 

- u 

•  b  P(n) 


+  P(  0)  +P(n+1) 

•  b  Vn.P(tt) 


natindu 


Are  there  standard  induction  principle  for  higher-order  encodings?  Not  according  to  the 
standard  literature.  It  is  the  goal  of  this  chapter  to  motivate  the  design  of  a  meta-logic  that 
accommodates  reasoning  by  cases  in  the  presence  of  higher-order  encodings.  The  fundamental 
problem  is  that  induction  over  higher-order  encodings  violates  the  closed  world  assumption ,  since 
in  order  to  appeal  to  the  induction  hypothesis,  one  has  to  traverse  A-binders,  thereby  extending 
the  world.  Clearly  the  open  world  assumption  is  too  general:  it  is  impossible  to  guarantee  that 
an  induction  principle,  or  the  related  recursive  function  covers  all  cases  because  the  world  is 
always  subject  to  change. 
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The  solution  suggested  by  Equation  (3.2.3)  is  what  we  call  the  regular  world  assumption 
which  characterizes  the  form  of  all  possible  worlds  4>  (in  a  Unitary  way).  Thus,  one  idea  is  to 
design  an  induction  principle  to  reason  about  property  P  for  all  simply-typed  A-terms  in  a  world 
with  the  regular  extension: 


$  ::=  •  |  $,  (x  :  term  t,u  :  P(x)) 

Tentatively,  one  would  expect  an  induction  principle  of  the  following  form: 

- U\  - U2  - Uz 

4>bP(ej)  $  H  P(e2)  4>, x  :  term  t\,u  :  P(x)  b  P(e  x) 


<E>  b  P(app  e\  e?)  b  P(lam  (Ax  :  term  t\.  e  x)) 

$  b  Ve  :  term  r.P(e) 


termindUl’“2’“3 


An  induction  principle  of  this  form  would  be  sufficient  for  our  purposes.  But  on  the  other 
hand,  we  push  its  definition  another  step  further.  In  this  form,  the  appeals  to  the  induction 
hypothesis  are  limited,  since  the  worlds  are  fixed  in  the  assumptions  tq,  112  and  M3.  For  our 
experiments  however,  <f>  describes  a  valid  and  regularly  formed  LF-context,  and  it  must  hence 
satisfy  various  requirements  such  as  weakening,  contraction,  and  exchange.  Therefore  we  dis¬ 
tance  us  ourselves  from  the  standard  notation  for  induction  principles,  but  we  develop  instead  a 
meta-logic  based  on  a  realizability  interpretation  of  its  proofs  as  total  recursive  functions.  These 
functions  range  over  arbitrary  LF  objects  that  are  valid  in  some  world  4>,  which  is  regular  in 
structure.  Thus,  the  soundness  of  our  technique  relies  crucially  on  termination  and  coverage 
properties  of  the  recursive  functions. 

By  basing  inductive  definitions  on  the  regular  world  assumption,  this  thesis  generalizes  pre¬ 
vious  work  on  standard  induction  principles  which  requires  the  defined  datatype  not  to  occur 
in  any  negative  position  in  any  constructor  type  (see  for  example  the  inductive  calculus  of 
constructions  [PM93]). 

In  this  chapter  we  motivate  the  construction  of  our  formal  meta-logic  that  supports  proof 
about  higher-order  encodings  of  deductive  systems.  In  particular,  we  demonstrate  how  to  define 
recursive  functions  over  simply-typed  A-terms,  and  ordinary  (Chapter  2)  and  parallel  reduction 
relations  (Chapter  3). 


4.2  Methodology 

A  meta-logical  framework  is  an  extension  of  a  logical  framework.  Besides  the  representation 
layer,  it  provides  an  explicit  layer  that  supports  formal  arguments  about  representations.  This 
section  is  designed  to  lead  the  reader  into  the  area  of  formalizing  the  meta-theory  of  deductive 
systems.  In  particular,  we  start  with  the  formalization  of  closed  meta-theorems  and  their  proofs 
in  Section  4.2.1,  i.e.  meta-theorems  where  all  participating  derivations  can  be  assumed  to  be 
closed  that  is  4>  is  guaranteed  to  be  empty.  In  the  Section  4.2.2  we  generalize  those  techniques 
to  open  meta-theorems,  and  finally  in  Section  4.2.3  we  extend  these  techniques  to  mutually 
dependent  theorems. 
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Informal  Reasoning 

Church-Rosser  theorem 
Cut-elimination  theorem 

Type  preservation  properties 

Meta-Logical  Framework 
Meta-logic 

Propositions-as-formulas 

Proofs-as-realizers 

Informal  Specification 

Logical  Framework 

Simply-typed  A-calculus 

Type  theory  LF 

Logic  calculi 

J  udgments-as- types 

Operational  semantics 

Derivations-as-objects 

Process  of  representation / formalization / encoding 

- - - - - £► 


Figure  4.1:  The  meta-logical  layer 

4.2.1  Closed  Meta-Theorems 

In  Chapter  3  we  have  presented  a  list  of  theorems  which  led  to  the  proof  of  the  Church- Rosser 
theorem  for  the  simply  typed  A-calculus.  Each  proof  followed  very  similar  principles.  We 
begin  with  the  proof  of  the  transitivity  Lemma  3.1  for  ordinary  reductions.  Two  derivations 
V[  ::  e  -4  e!  and  T>2  ::  ef  -4  e"  are  given,  from  which  a  third  is  to  be  constructed 
V  ::  e  -4  e".  The  formulation  of  all  theorems  are  very  similar  in  structure.  A  theorem 

typically  consists  of  a  block  of  universal  quantifiers  followed  by  a  block  of  existentials.  In  the 
literature,  formulas  of  this  kind  are  called  112-formulas  [Rog92].  The  index  “2”  expresses  that 
only  one  quantifier  alternation  is  admitted,  and  the  “IF  specifies  that  the  first-  quantifier  block 
is  universal.  For  the  formalization  of  Lemma  3.1  we  omit  the  leading  universal  quantifier  for  e, 
e',  and  en : 

VDi  ::e  -4  e'.VP2::e'  -4  e".3V::c  ^4  e".T 

Intuitively,  representing  this  theorem  in  the  meta-logical  framework  must  yield  a  function  which 
maps  objects  of  type  re  -4  e,_l  and  objects  of  type  re'  —4  e'n  to  objects  of  type  re  — »  e,,_l. 
Therefore,  the  universal  quantifier  can  be  read  as  a  new  function  space  constructor  “D”  for 
recursive  functions: 

(e  -4  e')  D  (ef  ^4  e")  D  (e  ^4  e") 

The  recursive  function  space  is  different  from  the  parametric,  in  that  it  allows  function  definition 
by  cases,  for  the  proof  that  goes  by  induction  on  V\ .  The  recursive  function  space  is  part  of  a 
new  conceptual  layer  above  LF,  the  so-called  meta-logic  as  shown  in  Figure  4.1.  All  quantifiers 
are  first-order.  In  particular,  the  meta-logic  we  present  in  this  thesis  is  the  meta-logic  A42 
which  extends  previous  work  [SP98].  It  is  presented  informally  in  this  section  and  formally  in 
Chapter  5.  The  soundness  of  the  meta-logic  is  based  on  an  argument  very  similar  to  the  one 
used  in  constructing  the  Curry-Howard  isomorphism.  It  is  based  on  a  realizability  interpretation 
of  meta-proofs  as  total  recursive  functions,  which  we  call  realizers.  A  realizer  computes  for  any 
instantiation  of  the  universal  quantifiers  some  witness  objects  for  the  existentials.  Back  to  the 
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representation  of  the  transitivity  theorem. 

■  ■  ■  r  '  rMVi  ::  e  —4  e'.MV2  ::  e'  ^4  e" .  3V  ::  e  -4  e".  Tn  = 

MD  :  re  ^4  en.ME:re'  -4  e"T  3P  :  re  A-  e"T  T 

The  V  quantifier  can  be  read  as  the  recursive  function  space  constructor  (similar  to  a  dependent 
n  type  constructor),  3  can  be  read  as  E-type  constructor,  and  T  as  unit  type,  all  on  the  meta¬ 
level.  Strictly  speaking,  this  version  of  the  theorem  is  not  complete  since  we  must  also  universally 
quantify  over  all  free  variables: 

Vr  ::  tp.  Me  ::  term  r.  Me'  ::  term  r.  Me"  ::  term  r. 

MV i  ::  e  —4  e'.MV2::e'  ^4  e".3P::e  -4  e".T 

It  translates  directly  into  a  formula  of  the  meta-logic.  For  better  presentation,  we  frame  the 
mathematical  formulations  of  the  theorems  from  Chapter  3. 

Lemma  4.1  (Transitivity  of  -4  ,  formalized) 

If  V i  ::  e  -4-  e'  and  V2  ::  e'  -4-  e"  then  e  -4  e" . 


=  MT  :  tp.  ME  :  term  T.  ME'  :  term  T.  ME"  :  term  T. 

MDi  :  E  -4  E'.MD2:E'  ^4  E".3P:E  -4  E".  T 

Each  variable  that  occurs  in  another  type  in  the  theorem  is  called  an  index  variable.  Different 
from  the  logical  framework  level,  where  we  have  a  type  reconstruction  mechanism  as  described 
in  Section  2.4.1,  type  reconstruction  on  the  meta- level  may  lead  to  ambiguous  results,  because 
it  cannot  be  uniquely  determined  if  index  assumptions  are  to  be  universally  or  existentially 
quantified.  Consider  the  abbreviated  version  of  the  Church-Rosser  theorem 

MD-.Ei  «— ►  Er.  3 Ri  :  Ex  -4  E'.  3 R2  :  Er  -4  E'.  T 

where  it  is  impossible  to  determine  E" s  status. 

MT  :  tp.  ME[  :  term  T.  MEr  :  term  T. 

MD-.Et  <— ►  Er.  3 E' :  term  T.  3RX  :  Ex  ^4  E'.  3 R2  :  Er  -4  E' .  T 

Meta-theorems  are  encoded  using  recursive  functions  spaces,  and  therefore  meta-proofs  are 
represented  by  recursive  functions.  Throughout  this  section,  those  functions  are  written  in  an 
ML-like  style  with  the  important  difference  that  the  arguments  do  not  range  over  ML-datai.types, 
but  over  LF  objects  well- formed  according  to  a  given  signature.  We  repeat  the  signature  encoding 
the  — s-  -relation  in  LF  from  Section  2.5: 

—4  :  term  T  -» term  T  -» type 

rbeta  :  (app  (lam  E\)  E2)  —4  E\  E2 

rlam  :  {Vx  :  term  T\.E  x  -4  E'  x) 

— >  (lam  E)  -4  (iam  e') 
rappj  :  E\  —4  E[ 

— >■  (app  E\  E2)  —4  (app  e[  E2) 
rapp2  :  E2  ~4  E'2 

(app  Ei  E2)  -4  (app  Ei  E'2) 
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Informally  we  have  proven  the  transitivity  Lemma  3.1  already  in  Section  3.2.1.  For  the  sake 
of  a  clearer  presentation  we  repeat  it  here. 


Proof:  (of  Lemma  3.1)  by  induction  over  T>\\ 

Case:  V\  = - rid 

e  — >  e 


T> 2  ::  e 


e 


n 


by  assumption 


v\ 


e  -4  e'" 


V" 


Case:  V\  = 


rstep 


V  ::  e'" 
Q  ::  e  - 


by  i.h.  on  V”  and  £>2 
by  rstep  on  V\ ,  V 


□ 

It  is  this  proof  which  is  encoded  as  the  realizer  trans.  The  informal  way  of  stating  “proof  by 
structural  induction  on  V\‘  from  the  proof  of  Lemma  3.1  is  translated  into  “trans  terminates 
because  the  argument  D\  decreases  in  size  with  every  recursive  call”.  When  totally  explicit, 
trans  expects  six  arguments  T,  E.  E',  E",  D\,  and  £>2,  but  for  our  purposes  we  will  omit  the 
first  four  (implicit)  arguments  in  order  not  to  clutter  the  presentation.  This  leaves  trans  with 
only  two  arguments  D\  and  £>2 

fun  trans  D\  D2  =  ■  ■  ■ 

which  we  gradually  refine  until  it  defines  a  total  function.  Keywords  and  function  names  are 
typeset  in  bold  type  face  in  order  to  make  the  difference  between  the  meta-level  and  the  language 
level  more  explicit.  The  proof  of  Lemma  3.1  proceeds  by  induction  on  V As  we  have  seen, 
induction  translates  into  a  case  analysis,  generating  two  cases  for  D\. 

fun  trans  rid  D2  =  ■ .  • 

|  trans  (rstep  D[  D")  D>  —  ■■  ■ 

Recall  that  the  reason  why  we  can  use  pattern  matching  here  is  that  once  instantiated,  D\  has  a 
canonical  form  (by  Theorem  2.6).  D\  will  be  bound  to  some  (here  closed)  LF-object  M,  which 
matches  either  with  the  first  or  with  the  second  case,  but.  it  must  match  —  the  case  cover  must 
be  complete,  “rid”  and  “rstep”  are  the  only  two  constructors  for  type  family  — >  .  The  first 
case  can  be  directly  finished  by  returning  object  £>2. 

fun  trans  rid  £>2  =  D 2 

|  trans  (rstep  D\  D")  £>2  =  . . . 

The  second  case  is  more  difficult.  The  original  proof  proceeds  with  the  application  of  the 
induction  hypothesis,  followed  by  the  construction  of  the  witness  derivation.  In  this  setting, 
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we  use  termination  orders  [RP96]  to  express  the  well-foundedness  of  the  induction  scheme:  the 
recursion  will  terminate,  because  with  each  recursive  call,  the  first  argument  decreases  in  size, 
and  since  the  subterm  relation  is  well-founded  the  recursion  will  eventually  come  to  a  halt. 
Translated  into  formal  jargon,  we  first  execute  a  recursion  operation  on  D"  and  D->  keeping 
in  mind  that  we  always  have  to  justify  why  recursion  does  not  invalidate  the  totality  of  the 
function.  For  this  particular  example,  the  case  is  clear.  The  induction  hypothesis  holds  for  V" 
because  T>'{  is  smaller  than  V\ : 


In  LF,  D'l  is  smaller  than  D  because  D"  is  a  subterm  of  D\.  Termination  orders  are  presented 
in  detail  in  Section  7.2. 


fun  trans  rid  D 2  =  £>2 

|  trans  (rstep  D[  D")  £>2  = 
let 

val  P  =  trans  D'{  £>2 
in 

end 

Finally,  we  return  object  “rstep  D[  P”  and  replace  the  last  set  of  ...  to  arrive  at  the  final  version 
of  the  function. 

fun  trans  rid  £>2  =  £>2 

|  trans  (rstep  D[  £>")  £)2  =  • 

let 

val  P  —  trans  £>"  £>2 
in 

rstep  I)\  P 

end 

We  say,  that  trans  is  a  realizer  of  transitivity  theorem,  and  use  the  following  shorthand: 

h  trans  6  Vr  ::  tp.  Ve  ::  term  r.  Ve'  ::  term  r.  Ve"  ::  term  r. 

V£>!  ::  e  -4  e'.  VP2  ::  e'  ^4  e".  3V  ::  e  -4  e" .  T 

The  symbol  is  reserved  for  validity  on  the  meta-level  whereas  only  expresses  validity  on 
the  language- level  as  defined  in  Section  2.4.  We  postpone  the  formal  presentation  of  the  “e” 
relation  until  Chapter  5. 

Using  the  technique  of  successive  refinements,  we  continue  our  quest  for  a  formalized  version 
of  the  Church-Rosser  theorem  with  the  encoding  of  Lemma  3.2.  On  first  sight,  all  three  cases  of 
the  lemma  are  very  similar,  but  on  the  second,  one  recognizes,  that  the  first  is  different,  from  the 
second  and  the  third:  e  and  e'  may  contain  the  free  variable  x,  whereas  all  terms  in  the  other 
two  cases  are  assumed  to  be  closed.  Without  higher-order  representation  techniques,  this  lemma 
cannot  be  directly  represented,  but  in  our  case  it  can:  the  representations  of  e  ::  term  T\,e'  :: 
term  t\  and  V  ::  e  — >  e'  are  functions,  parametrized  in  x  ::  term  r2.  More  precisely: 
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• :  re  ::  term  T]-1  =  Xx  :  term  rT2n.  ren  :  term  — >  term  rrjn 

where  r3:’1  =  x 

re' ::  term  ri"1  =  Xx  :  term  rT2n.  ren  :  term  rT2~l  ->  term  rT]~l 

where  r.T_l  =  x 

rV  ::  e  — 4  e/-1  =  Xx  :  term  rT2~l.ren  :  term  rT2~l  — *  (re~1  x  — *->  ren  a:) 

where  r.Tn  =  ,r 

This  encoding  is  adequate,  and  again,  this  result  rests  on  the  canonical  form  Theorem  2.6. 
The  representation  of  the  derivation  V  ::  e  e'  is  a  function,  and  it  can  take  exactly  one  of 
the  two  possible  forms 

rVn  =  Xx  :  term  TVrid 

rVn  =  Xx  :  term  T2.rst.ep  (D\  x)  {D>  x) 

The  representation  of  all  three  cases  in  Lemma  3.2  follows  by  successive  refinement. 


Lemma  4.2  (Admissible  rules,  formalized) 


1. 


If  V  ::  e 


e!  then  Xx  :  t-/- 


Xx  :  T2-  d 


VTi  :  tp.  VT2  :  tp.  ME  :  term,  T2  — >  term  T\ .  ME'  :  term,  T2  — >  term  T\ . 

MD  :  Tlx  :  term  T2.  E  x  -—x  E'  x. 

3 P  :  lam.  (Xx  :  term.  T2.  E  x)  — 4  lam,  (Xx  :  term,  T2.  E'  x).  T 


2. 


IfVv.ei 


e\  then  e\  62 


e'j  e2 


VTi  :  tp.MT2  :  tp.  ME\  :  term  (T2  arrow  T\).ME[  :  term,  (T2  arrow  T\).ME2  :  te.rm.T2. 
MD  :  Ei  -4  E(. 

3  P  :  app  E\  E2  app  E\  E-> .  T 


3. 


IfV::e2 


e2  then  e.\  e.2 


ei  e'2 


MT\  :  tp.MT2  :  tp.ME\  :  term,  (T2  arrow  T, ).  ME2  :  term.  Ty.  ME'2  :  term.  T2. 

MD  :  E2  -4  E'2. 

3 P  :  app  Ei  E2  —4  app  E\  E'2 .  T 

Proof:  The  termination  order  is  subterm  order  on  D  in  all  three  cases. 

1.  fun  admissible]  (Xx  :  term  T^.rid)  =  rid 

|  admissible]  (Xx  :  term  T2.  rstep  (D\  x)  (D2  x))  = 

let 

val  P  =  admissible]  (Xx  :  term  T2.  D2  x) 

in 

rstep  (rlam  (A.7:  :  term  T2.D1  x))  P 

end 
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2.  fun  admissible2  rid  =  rid 

|  admissible2  (rstep  Dj  _D2)  = 

let 

val  P  =  admissible2  D2 
in 

rstep  (rappj  Di)  P 

end 

3.  fun  admissible,3  rid  =  rid 

|  admissible3  (rstep  D\  D2)  = 
let 

val  P  —  admissible3  D2 
in 

rstep  (rapp2  D\)  P 

end 

□ 

The  intended  way  to  read  this  formalized  lemma,  is  that  the  proofs  admissiblei, 
admissible2,  and  admissible3  are  functions  in  the  encoding  of  Theorem  3.2,  i.e.  more  for¬ 
mally: 

h  admissiblei  G  rIf  V  ::  e  — ^  e'  then  A x  :  r.e  Xx  :  r.  e,_l 
h  admissible2  G  rIf  V  ::  ei  —*■  e\  then  ei  e2  -—*■  e\  ep 
h  admissible3  €  rIf  V  ::  e2  e2  then  ei  e2  e\  e'p 

The  function  trans  and  the  family  of  admissible  functions  make  use  of  only  three  of  the 
proof  operations,  we  have  presented  in  Chapter  3:  direct  construction,  case  analysis,  and  appli¬ 
cation  of  the  induction  hypothesis. 

4.2.2  Open  Meta-Theorems 

In  the  remainder  of  this  section  we  will  continue  to  formalize  the  meta-theorems  and  meta-proofs, 
with  special  emphasis  on  the  parameter  operation,  which  is  used  for  example  in  the  formulation 
of  Lemma  3.4  and  its  proof.  Lemma  3.4  guarantees  that  each  term  parallel  reduces  to  itself:  for 
every  expression  e  there  exists  a  derivation  of  e  ==>  e. 

The  theorem  is  only  provable  if  stated  in  appropriate  generality;  it  must  be  so  general,  that 
it  accounts  for  the  term  e  to  be  well-formed  in  a  regular  extension  of  the  world  of  the  form 

4*  ::=  •  |  &,x  ::  term  r,  u  ::  x  x 

and  then,  the  resulting  derivation  V  ::  e  =U-  e  is  valid  in  the  same  world  <I>.  Clearly,  none  of 
the  techniques  introduced  so  far,  can  be  directly  applied  to  encode  this  theorem;  we  must  define 
an  operator  to  allow  quantification  over  those  regularly  formed  world.  The  encoding  of  world 
extensions  yields  an  LF  context  which  we  call  parameter  context.  Similarly,  each  extension  of 
the  world  is  represented  by  a  parameter  context  fragment  called  a  parameter  block.  Parameter 
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blocks  must  be  regularly  formed,  i.e.  they  must  be  instantiations  of  some  abstract  description 
called  a  block  schema.  In  our  example,  the  block  schema  has  the  form: 

SOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  =4  x 

which  reads  as  follows:  for  some  object  T  of  type  tp,  a  parameter  block  must  be  an  m-variant. 
of  x  :  term  T,  u  :  x  ==>  x .  Block  schemas  are  partial  descriptions  of  the  form  of  a  parameter 
contexts.  Consequently,  repeated  instantiations  of  the  block  schema,  yields  a  valid  parameter 
context.  Hence,  a  single  block  schema  describes  entire  sets  of  parameter  contexts,  and  therefore 
we  refer  to  it  as  context  schema  for  the  remainder  of  this  section.  A  motivation  for  more  complex 
context  schemas  can  be  found  in  Section  4.2.3. 

The  well-formed  world  extension 

X[  ::  term  tj,  ui  ::  x\  aq, . . . ,  xn  ::  term  Tn.uv  ::  xn  xn 

is  hence  represented  in  the  meta-logical  framework  as 

X\  :  term  rri",,U]  :  aq  x,\, . . . , xn  :  term  rTnn,un  :  xn  xn 

and  it  is  an  instance  of  the  context  schema  from  above. 

In  order  to  express  quantification  over  regularly  formed  contexts  we  extend  the  formal  lan¬ 
guage  of  theorems  provided  by  the  meta-logical  framework  by  a  new  operator  □.  With  its  help, 
we  can  finally  formalize  of  the  reflexivity  Lemma  3.4: 

Lemma  4.3  (Reflexivity  theorem,  formalized) 


Let  <I>  the  dynamic  extension  of  the  world.  Then  for  any  well-typed  term  e, 
there  exists  a  derivation  of  e  =>  e. 

=  DSOME  T  :  tp.  BLOCK  x  :  term,  T,  u  :  x  x. 

VT  :  tp.  WE  :  term  T.3D  :  E  =4  E.T 

The  next  question  we  must  address  is  how  meta-proofs  of  meta-theorems  using  context 
quantification  are  represented.  We  begin  with  the  definition  of  the  proof  representing  func¬ 
tion  refl  which  we  define  by  successive  refinement  keeping  in  mind  that  the  context  scheme 
“SOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  x”  is  associated  with  refl. 

fun  refl  £'  =  ■•• 

The  informal  proof  proceeds  by  induction  over  e,  which  is  formalized  by  the  subterm  order  on 
E .  Case  analysis  is  not  as  straightforward  as  for  the  transitivity  lemma  for  ordinary  reduction 
above:  in  addition  to  the  cases  introduced  by  the  signature  it  must  also  consider  parameter  cases 
from  4>.  In  our  example,  there  can  only  be  one:  E  =  x.  Since  parameter  contexts  are  regularly 
built,  it  follows  by  inspection  of  the  context  scheme  that  x  must  be  declared  in  a  parameter 
block  of  the  form  x  :  term  T,  u  :  x  =4>  x .  Obviously,  the  parameter  context  can  be  composed 
of  many  instantiations  of  the  block  schema,  and  in  order  to  completely  cover  all  possible  forms 
of  E,  we  would  have  to  provide  a  case  for  each  possibility.  This  is  impossible,  since  we  would 
have  to  consider  infinitely  many  cases! 
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Fortunately,  there  is  a  feasible  and  more  elegant  solution  to  this  problem.  We  can  take 
advantage  of  the  regularity  of  the  parameter  context  4>.  As  long  as  the  proof  of  a  parameter 
case  does  not  take  advantage  of  the  relative  position  of  parameter  blocks  among  each  other, 
but  only  of  other  assumptions  declared  in  the  same  parameter  block,  we  can  arrange  things 
so  that  all  infinitely  many  cases  are  covered  by  one  single  case:  Instead  of  distinguishing  cases 
over  all  parameter  contexts,  we  consider  simultaneously  all  parameter  contexts  which  contain  a 
parameter  block  of  the  form  x  :  term  T,u  :  x  x.  Naturally  x  and  u  do  not  stand  for  a 

single  parameter  occurrences  any  more,  but  rather  for  a  whole  class,  and  in  order  to  make  this 
distinction  explicit,  we  write  x  and  u  for  variables  ranging  over  parameter  blocks. 

Consequently,  a  case  analysis  of  E  yields  three  new  cases,  first  a  parameter  case,  second  a 
app  case,  and  the  third  a  lam  case: 


fun  refl  x  =  . . . 

|  refl  (lam  (Xx  :  term  T.E'  x))  m  . . . 
|  refl  (app  E\  E^)  —  . . . 


We  incrementally  construct  this  realizer  by  filling  in  the  three  holes  . . .  top  to  bottom.  First,  we 
discuss  the  global  parameter  case  for  E  =  x.  The  original  proof  case  can  be  immediately  closed 
with  Ui .  Note,  that  here  rxf{  —  x. 


Case:  e  —  X{ 

term  t* 

1 

V>i  ..  Xi  — -■-7'  Xi 

by  assumption 

On  the  formal  side,  rup  =  u  can  also  be  used  to  fill  the  first  hole  since  it  is  the  only  object  of 
desired  type  x  x .  Note,  that  this  is  the  only  information  we  extract  from  and  therefore 
we  do  not  need  to  pass  4>  along  in  the  definition  of  refl.  Instead,  information  about  x  and  u  can 
be  directly  extracted  from  the  context  schema. 


SOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  x 


Therefore,  the  LF  signature  E  describes  the  static  part  of  the  world  and  the  abstract  specification 
of  its  dynamic  extensions.  These  two  descriptions  contain  all  information  needed  to  complete 
and  to  formalize  the  proof. 


fun  refl  x  =  u 

|  refl  (lam  (Ax  :  term  T.Ef  x))  =  ... 
|  refl  (app  E\  E2)  =  . . . 


75 


76 


4.2.  METHODOLOGY 


We  continue  the  construction  of  the  realizer  by  revisiting  the  lam-case  of  the  proof. 


xn+ 1 

term  T\ 

e' 

term  r2 

Casej  e  ~ - 

term  (r\  — >  T2) 

Assume  xn+\  ::  term  r\ 

Assume  un+ 1  ::  =^>  ^7J+i 

V::e'  =U  e' 

by  i.h.  on  e! 

Q  ::  A.7;n+i  :  term  r\.  e!  ==>  A.r„+i  :  term  r\.  e! 

by  rule  pi  am  on  V 

In  order  to  apply  the  induction  hypothesis  to  term  e',  we  appropriately  extend  the  world  in  a 
way  prescribed  by  the  context  schema.  Only  new  instances  of  the  block  schema  can  be  used, 
and  in  this  case  we  refer  to  it  as  x  :  term  rT\n,u  :  x  x.  The  parameter  context  remains 

regularly  formed  after  adding  these  two  new  declarations. 


fun  refl  x  =  u 

|  refl  (lam  (Xx  :  term  T.  E1  x))  = 

let 

new  x  :  term  T.u:x  x 

in 

end 

|  refl  (app  E\  £’2)  =  . . . 


In  this  extended  context,  we  apply  the  induction  hypothesis  to  expression  ren  —  Ef  x  and 
obtain  an  object  P,  which  is  still  defined  in  the  extended  context.  Note  that  P  represents  a 
derivation  V  ::  e'  ef  by  the  adequacy  result  from  Lemma  3.3.  But  V  is  hypothetical  in 

u  ::  x  =>  x  (and  naturally  in  x  ::  term  n). 


=  Ux  :  term  rrin.  Hu  :  x  x.  (Er  x)  (E'  x)  (4.1) 


In  order  to  make  P  —  rPn  available  to  the  subsequent  operations  of  this  proof  case,  we  insert 
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another  declaration  into  the  body  function  refl. 

fun  refl  x~u 

|  refl  (lam  (Ax  :  term  T.  Ef  x))  = 

let 

new  x  :  term  T,  u  :  x  x 
val  P  xu  —  refl  (P'  x) 
in 

end 

|  refl  (app  E\  P2)  =  . . . 

The  derivation  V  matches  the  premiss  of  the  plam-rule  and  we  return 
“plam  (Ax  :  term  T.  Xu  :  x  =>•  x.P  x  u)v  which  closes  this  case  in  the  proof. 

fun  refl  x  —  u 

|  refl  (lam  (Ax  :  term  T.  Ef  x))  = 

let 

new  x  :  term  T.u:x  x 
val  P  xu  =  refl  (E*  x) 
in 

plam  (Ax  :  term  T.  Xu  :  x  x.P  x  u) 

end 

|  refl  (app  E\  E2)  =  . . . 

The  representation  of  the  final  case  in  the  proof  of  the  reflexivity  theorem  does  not  present  any 
new  concepts  or  difficulties. 


Two  applications  of  the  induction  hypothesis  provide  two  new  objects  representing  derivations, 
Pi  and  P2  which  form  as  pair  the  return  value  of  this  case.  In  order  to  compare  the  informal 
formal  proof  and  its  representation  as  a  realizer,  we  repeat  the  proof  here. 

Proof:  (of  Lemma  3.4)  by  structural  induction  on  e: 

Case:  e  = - X{ 

term  T{ 

i 

ui  ::  Xi  =>  X{  by  assumption 
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-  ^77-f-l 

term  t\ 

e! 

term  7*2 

Case:  e  = - lamXn+1 

term  (ti  T2) 

Assume  xnjr\  ::  term  n 
Assume  «n+i  ::  xn+\  =4  ®n+i 

V  ::  e'  =^>  e'  by  i.h.  on  e' 

Q  ::  A.Tn+i  :  term  T\.e '  ==>  A:rn+i  :  term  T\.e!  by  rule  plam  on  V 

d  e2 

term  (r2  — »  rj)  term  r2 

Case:  e  = - app 

term  rj 

V\  ::  ei  C] 

V2  ■■■■  e2  ==4>  e2 

^  i 

Q  ::  app  e\  e2  =>  app  e\  e2 


by  i.h.  on  ei 
by  i.h.  on  e2 
by  rule  papp  on  V\ ,  P2 


□ 


Proof:  (realizer  of  Lemma  4.3) 

•  termination  order  is  a  subterm  order  on  E 

•  using  context  schema  “SOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  =>  xn 

fun  refl  x  —  u 

|  refl  (lam  (Xx  :  term  T.  Ef  x))  — 

let 

new  x  :  term  T,u:x  x 
val  P  xu  —  refl  ( Er  x) 
in 

plam  (A:/;  :  term  T.  Xu  :  x  x.P  x  u) 

end 

|  refl  (app  E\  E2)  — 

let 

val  Pi  =  refl  E\ 
val  P2  =  refl  E2 
in 

papp  Pi  P2 

end 

□ 
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fun  partrans  x  D2  =  Do 
|  partrans  pid  D2  =  D2 
|  partrans  (pstep  D[  D")  D2  = 
let 

val  P  =  partrans  D”  D2 
in 

pstep  D[  P 

end 

Figure  4.2:  Formal  proof  of  the  transitivity  Theorem  4.4. 

This  concludes  the  presentation  of  the  formalization  of  the  proof  of  the  reflexivity  lemma  for 
parallel  reduction  and  we  continue  with  the  formalization  of  the  transitivity  Lemma  3.5  and  the 
substitution  Lemma  3.6  both  for  parallel  reduction.  The  formalization  of  the  proof  itself  is  very 
similar,  almost  identical  to  the  one  of  transitivity  Lemma  4.1  for  ordinary  reduction. 

Lemma  4.4  (Transitivity  of  ,  formalized) 

Let  4>  be  the  dynamic  extension  of  the  world .  If  V 1  ::  e  ef  and  V 2  :: 

e'  e"  are  closed  then  e  =>  e,f . _ 

-  D-.VT  :  tp.WE  :  termT.VE'  :  termT.VE"  :  termT . 

VDi  :  E  E'.VD2  :  E1  E".3P  :  E  E" .  T 


Proof: 


•  termination  order  is  a  subterm  order  on  D\ 

•  with  an  empty  parameter  context 


Figure  4.2  shows  the  formal  proof.  □ 


The  proof  of  the  substitution  lemma  does  not  provide  us  with  any  new  fundamental  insights 
into  how  to  formalize  meta-theorems  and  meta-proofs  either. 
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Lemma  4.5  (Substitution  lemma,  formalized) 


□  SOME  T  :  tp.  BLOCK  x  :  term,  T,u  :  x  ==>  x. 

VT]  :  tp.  VT2  :  tp.  VEy  :  term  T2  — >  term,  T\ .  VE[  :  term,  T2  — >  term  T] . 
VE2  :  term.T2.VE2  :  term  T2. 


VD\  :  (ny  :  term.T2.1j  =4-  y  ->  y  =4  y).VD2  :  £2  =4  E'2. 

bp  -.exe2  =4  e; 

As  in  the  proof  of  Lemma  4.2  we  have  to  perform  a  case  analysis  on  the  hypothetical  deriva¬ 
tion  V.  Because  it  is  hypothetical,  r£)_1  =  A y  :  term  A?;  :  y  V-Df  five  different  cases  of 
Df  have  to  be  considered:  Df  could  be  either  a  parameter  u  declared  in  the  dynamic  extension 
of  the  world  simply  u,  or  an  object  starting  with  any  of  the  three  constants  “pbeta”,  “plain”, 
or  “papp” . 

Proof: 

•  termination  order  is  a  subterm  order  on  D\ 

•  using  context  schema  “SOME  T  :  tp.  BLOCK  x  :  term  T.  u  :  x  ==>  .7;” 

Figure  4.3  shows  the  formal  proof.  □ 

With  the  diamond  lemma,  arguably  the  most  difficult  lemma  presented  in  Chapter  3,  we 
shed  some  more  light  on  the  formalization  process  of  the  meta-theory  of  object  languages  such  as 
programming  languages  and  logics,  and  also  the  meta-logic  we  are  going  to  present  in  Chapter  5. 
So  far  we  have  demonstrated  how  to  formalize  “proofs  by  structural  induction”  using  several 
operations,  such  as  case  analysis,  direct  construction  of  witness  objects,  appeals  to  the  induction 
hypothesis,  and  regular  extensions  of  the  world.  In  addition,  the  formalization  of  the  diamond 
lemma  requires  appeals  to  lemmas  and  extensions  of  termination  orders. 
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fun  subst  (A y  :  term  T\  At;  :  y  =^>  y.u)  E  =  u 

|  subst  (A y  :  term  T'.  Xv  :  y  ==>  y.v)  E  =  E 

|  subst  (Ay  :  term  T'.  At; :  y  y.  pbeta  (Xx  :  term  T.  At* :  x  =^=>  x.  Pi  y  v  x  u)  (D2  y  v))  E  = 

let 

new  x  :  term  T\u:x  ==»  rr 

val  Pi  xu~  subst  (At/  :  term  T\  At; :  y  y.  D\  y  v  xu)  E 

in 

let 

val  P2  —  subst  (At/  :  term  T\  At;  :  y  ==>  y.  P2  y  v)  E 

in 

pbeta  Pi  Po 

end 

end 

|  subst  (A y  :  term  T' .  Xv  :  y  y.  plam  (\x  :  term  T.  Xu  :  x  x.D\  y  v  x  u))  E  — 

let 

new  x  :  term  T,u\x  a; 

val  Pi  x  tt  =  subst  (At/  :  term  Tf .  Xv  :  y  =L>  y.  Pi  y  v  x  u)  P 

in 

plam  Pi 

end 

|  subst  (At/  :  term  T\  At;  :  y  y.  papp  (Pi  y  v)  (P2  y  v))  E  = 
let 

val  Pi  —  subst  (Ay  :  term  Tf . Xv  :  y  =U>  y.  Pi  y  t;)  E 
val  P2  =  subst  (Ay  :  term  T' .  Xv  :  y  ==>  y.  P>  y  t;)  P 

in 

papp  Pi  P2 

end 


Figure  4.3:  Formal  proof  of  the  substitution  Lemma  4.5. 

Lemma  4.6  (Diamond  lemma,  formalized) 

Let  4>  be  the  dynamic  extension  of  the  world.  If  T>1  ::  e  =>  el  and  Vr  :: 
e  er  then  there  exists  a  common  reduct  e' ,  such  that  TZl  ::  el  ef 

and  IZr  ::  er  =>  e'. _ 

□  SOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  =>  x. 

VT  :  tp.  VS  :  £erm  T.  VS/  :  term  T.  V£r  :  term  T. 

VD*  :  E  S;.VDr  :  E  =4  Sr. 

3S'  :  term  T .  :  El  S'.  3Sr  :  Sr  S'.  T 

As  we  have  presented  the  proof  of  the  diamond  Lemma  3.7  in  Chapter  3,  it  proceeds  by 
simultaneous  structural  induction  over  the  derivations  V1  and  Vr.  Specifically,  an  induction 
hypothesis  is  applicable  to  two  parallel  reductions  Va  and  VfT  given  that  Vn  is  a  subderivation 
of  V1  and  Vfr  is  either  equal  to  or  also  a  subderivation  of  Vr.  Formally,  the  proof  principle  “proof 
by  simultaneous  structural  induction”  is  represented  by  a  new  termination  order,  a  simultaneous 
extension  of  the  subterm  ordering.  We  write  [Dl  Dr]  for  this  new  termination  order  and  it  is 
defined  as  follows:  A  pair  of  objects  [Dfl  Dfr ]  is  smaller  than  [Dl  Dr],  if  either 
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Dn  is  structurally  smaller  than  D 1  and  either  D!r  =  Dr  or  D!r  is  a  structurally 
smaller  than  Dr 


or 

either  Dtl  =  Dl  or  Dn  is  a  structurally  smaller  than  Dl  and  Dfr  is  structurally  smaller 
than  Dr. 

Another  very  common  termination  principle  is  “proof  by  lexicographical  structural  induction”, 
which  we  will  not  demonstrate  by  example  but  merely  state  here.  It  is  used  for  example  in  the 
proof  of  cut-elimination  for  various  logics  [Pfe95]. 

A  proof  by  lexicographical  induction  on  V1  and  Vr  provides  induction  hypothesis,  which  can 
be  applied  to  terms  Vn  and  Vfr  as  long  as  Vfl  is  a  subderivation  of  V1  and  V,r  is  arbitrary,  or 
Va  —  V1,  and  Vfr  is  a  subderivation  of  Vr.  Formally,  we  write  {Dl,Dr}  for  the  lexicographical 
termination  ordering.  We  say  that  {Dn ,D,r  }  is  below  {DI,Dr}1  if  either 

Dn  is  structurally  smaller  than  Dl ,  and  Dfr  might  be  arbitrary 


or 

Dfl  =  Dl  and  D,r  is  structurally  smaller  than  Dr . 

Termination  orderings  based  on  simultaneous  and  lexicographical  extensions  of  the  subterm 
ordering  have  been  studied  in  [RP96].  We  reuse  those  results  in  order  to  prove  that  each 
recursive  function  formalizing  a  meta-proof  is  terminating.  Recall  that  realizers  must  be  total 
functions,  specifically  upon  instantiation  they  must  terminate  and  the  execution  can  never  get 
stuck.  Termination  is  enforced  by  allowing  only  recursive  calls  on  argument  vector  that  are 
smaller  according  to  some  a  priori  specified  well-founded  termination  order. 

The  first  two  cases  of  the  proof  of  Lemma  4.6  deserve  special  attention.  We  start  with  the 
discussion  of  the  base  case: 


Case:  V1  = - -  ~u  Vr  =  j  u 

X  =>  X  X  =>  X 

e!  —  x 

by  assumption 

nl  =  nr  =  u 

by  assumption 

How  did  this  case  come  about?  First,  we  distinguish  cases  on  the  derivation  V1  and  consider 
the  global  case,  where  x  ::  term  r,  and  u  ::  x  x.  Second,  we  distinguish  cases  on  Vr, 

and  because  the  parallel  reduction  Vr  starts  with  the  same  term  .r,  we  conclude,  that  the  only 
possible  instantiation  of  Vr  is  u.  There  are  no  other  cases  to  be  considered  for  Vr. 

Formally,  the  proof  of  the  diamond  lemma  is  expressed  by  a  function  mapping  two  represen¬ 
tations  of  parallel  reductions  Dl  and  Dr  to  two  other  parallel  reductions  Rl  and  R1  in  order  to 
form  a  diamond  —  graphically  speaking. 

fun  dia  Dl  Dr  =  . . . 

First  we  distinguish  cases  of  Dl .  For  brevity,  we  only  show  the  global  parameter  and  the  /3-rule 
case. 
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fun  dia  uDr  =  ... 

|  dia  (pbeta  ( Xx  :  term  T.  Xu  :  x  ==4>  x.  D[  x  u)  D2)  Dr  =  . . . 
*  ; 


Assume,  that  there  is  one  parameter  context  containing  several  parameter  blocks,  and  each 
parameter  block  is  an  instance  of  the  given  block  schema.  At  this  point  Dr  is  instantiated  with 
some  u  of  one  of  the  parameter  blocks.  It  is  not  clear  if  it  is  the  first,  the  second,  or  the  last,  all 
we  know,  that  there  is  one  it  is  instantiated  to.  Clearly,  Dr  is  a  derivation  which  reduces  x  (the 
other  assumptions  associated  with  the  parameter  block  which  contains  u)  to  some  term  er . 

Next  we  have  to  consider  all  cases  for  Dr .  Again  there  are  several  cases  to  be  considered.  The 
first  case  to  try  is  that  Dr  —  v  assuming  that  the  regular  world  extension  contains  a  parameter 
block  of  the  form  y ,  v.  Hence  Dr  :  y  =^>  We  notice,  that  this  can  only  be  the  case  if  x  and 
y  refer  to  the  same  parameter  in  the  same  parameter  block  in  $,  since  from  the  case  analysis 

on  Dl  we  can  infer  that  Dr  :  x  =^>  Er.  Therefore  Dr  —  u  —  y  and  x  =  y.  This  is  the  first 
possible  form  of  Dr.  It  is  also  the  only  possible  form  of  Dr ,  because  any  other  instantiation  of 
Dr  whose  head  constant  is  defined  in  the  signature  clashes  with  the  fact  that  Dr  stands  for  a 
reduction  of  x. 


fun  dia  uu  =  ... 

|  dia  (pbeta  (Arr  :  term  T.  Xu  :  x  x.  D[  x  u )  Dl2)  Dr  =  . . . 


Why  is  this  kind  of  argument  sound?  It  is  sound,  because  we  start  with  a  minimal  amount 
of  information,  namely  that  there  exists  a  second  parameter  block  in  the  parameter  context, 
and  it  is  only  because  of  additional  constraints  that  we  can  identify  it  with  one  whose  existence 
we  have  already  assumed.  In  order  to  close  this  proof  branch,  we  simply  return  the  pair  (u,  w). 


fun  dia  uu  =  (u1  u) 

|  dia  (pbeta  (Arr  :  term  T.Xu  :  x  =4-  x.  D\  x  u)  Dl2)  Dr  =  . . . 


The  second  case  of  the  proof  demonstrates  an  appeal  to  the  a  lemma.  It  is  the  substitution 
Lemma  3.6  discussed  above. 


83 


84 


4.2.  METHODOLOGY 


And  again  as  in  the  previous  case,  an  analysis  of  the  second  derivations  leaves  only  one  case. 
After  two  more  appeals  to  the  induction  hypothesis  we  obtain  the  following  partially  defined 
realizer  dia. 

fun  dia  uu=(u,  u ) 

|  dia  (pbeta  (A.?:  :  term  T.  Xu  :  x  =>  x .  D\  x  u)  D2) 

(pbeta  ( Xx  :  term  T.  Xu  :  x  =4>  x.  D\  x  u)  D2)  = 

let 

new  x  :  term  T,u:x  x 

val  (Pi  xu,P‘2Xu)  =  dia  [D\  x  u)  {D\  x  u) 

in 

let 

val  (Qi,  Q2)  =  dia  D!2  D\ 

in 

end 

end 
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According  to  the  informal  proof  the  only  steps  missing  to  close  this  branch  of  the  proof  are 
two  appeals  to  the  substitution  Lemma  3.6.  In  order  to  apply  a  lemma,  we  first  have  to  ensure 
that  the  context  scheme  of  the  lemma  to  be  proven  (i.e.  the  diamond  lemma)  and  the  lemma 
to  be  applied  (i.e.  Lemma  3.6)  are  compatible.  In  a  nutshell,  a  lemma  cannot  be  applied  in  a 
parameter  context  which  is  larger  than  the  one  in  which  the  lemma  is  proven,  in  the  sense,  that 
the  lemma  must  always  guarantee  coverage  of  all  cases.  These  considerations  establish  a  notion 
of  subsumption  on  context  schemas  which  we  investigate  in  more  detail  in  Section  5.7.2. 

The  context  schema  associated  with  the  proof  of  substitution  Lemma  4.5  and  the  context 
schema  associated  with  the  diamond  lemma  are  equal,  which  informally  implies  that  the  sub¬ 
stitution  lemma  covers  all  cases.  More  specifically,  it  is  safe  to  appeal  to  the  substitution  in  the 
proof  of  the  diamond  lemma. 

Having  checked  the  subsumption  property  of  the  context  schemas,  the  application  of  lemma 
translates  to  function  application  on  the  meta-level,  subst  formalizes  the  proof  of  the  substi¬ 
tution  lemma  in  form  of  a  recursive  function;  applying  this  function  yields  objects  representing 
the  derivations  whose  existence  is  guaranteed  by  the  lemma.  Specifically,  this  case  of  the  proof 
requires  two  appeals  to  the  substitution  lemma  which  yield  two  objects  E\  and  E2. 


fun  dia  uu  =  (u,  u) 

|  dia  (pbeta  ( \x  :  term  T. 

Xu  :  x 

x .  D[  x 

u)  Dl2) 

(pbeta  (Aa;  :  term  T. 

Xu  :  x 

x.  D[  x 

u)  D$)  = 

let 

new  x  :  term  T,u:x 

l 

=>  X 

val  (Pi  xu,P2x  u) 

=  dia  (D[ 

xu)  (D[ 

xu) 

in 

let 

val  (Qi,  Q2)  =  dia 

Dl2  Dr2 

val  Pi  =  subst  Pi 

Qi 

val  P2  =  subst  P2 

Q2 

in 


end 

end 


As  a  matter  of  fact,  R\  and  R>  are  the  required  two  derivations  which  the  function  formalizing 
this  proof  has  to  return.  Therefore,  filling  the  last  hole  in  the  body  of  the  let  clause  with 
(Pi ,  R/>)  closes  the  proof  branch. 
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4.2.  METHODOLOGY 


fun  dia  uu  =  (u,  u) 

|  dia  (pbeta  (Xx  :  term  T.  Xu  :  x  ==>  x.  D\  x  u )  D2) 

(pbeta  (A.t:  :  term  T.  Xu  :  x  ==>  x.  D\  x  u)  D2)  = 

let 

new  x  :  term  T,u:x  =4*  x 

val  (Pi  xu,P-2Xu)  =  dia  (D[  x  u)  ( D\  x  u) 

in 

let 

val  (Qi,Q2)  =  dia  P>'  Dr2 
val  R\  =  subst  Pi  Q\ 
val  R2  =  subst  Pi  Q2 
in 

(RuR2) 

end 

end 


The  remaining  cases  are  easily  represented  using  the  same  techniques  presented  in  this  chap¬ 
ter.  The  diamond  lemma  is  therefore  correct,  and  the  function  dia  a  formalization  of  its  proof, 
keeping  in  mind  the  context  schema  which  was  used  to  determine  all  the  cases. 

Proof:  of  Lemma  4.6: 

•  termination  order  is  a  subterm  order  on  [ D 1  Dr] 

•  using  context  schema  “SOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  xn 

Figure  4.4  shows  the  formal  proof.  □ 

The  diamond  lemma  is  used  in  the  proof  of  the  strip  lemma.  It  guarantees  that  a  multi-step 
parallel  reduction  and  a  single-step  parallel  reduction  have  a  common  reduct.  The  theorem  need 
not  to  be  as  general  as  the  reflexivity  Lemma  4.3,  the  substitution  Lemma  4.5,  or  the  diamond 
Lemma  4.6;  we  assume  the  parameter  context  to  be  empty.  Naturally,  since  every  empty  pa¬ 
rameter  context  is  also  a  parameter  context  of  the  context  schema  “SOME  T  :  tp.  BLOCK  x  : 
term  T,u  :  x  =>  x” ,  the  diamond  lemma  can  be  used  for  the  proof  of  the  strip  lemma. 

Lemma  4.7  (Strip  lemma,  formalized) 

Let  $  be  the  dynamic  extension  of  the  world.  If  V1  ::  e  ==>  el  and  Vr  :: 
e  ===>  er  then  there  exists  a  common  redact  e',  such  that  1Z\  ::  el  e! 

and  1Z 2  ::  er  ef. 

□  VT  :  tp.  VP  :  term  T.  VPZ  :  term  T.  MEr  :  term,  T. 

MDl  :  E  El.\/DT  :  E  Er. 

3 Ef  :  term  T .  3Rl  :  El  Ef.  3 Rr  :  Er  Ef.  T 
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fun  dia  uu~  (u,  u) 

|  dia-(pbeta  (Ax  :  term  T.  Xu  :  x  =^=>  x .  D[  x  u)  P2)  (pbeta  (Xx  :  term  T.  Xu  :  x  a:.  Pi  x  w)  P£)  = 
let 

new  x  :  term  T,  w  :  x  x 

val  (Pi  xu,P'2Xu)  =  dia  (Pi  x  w)  (Pi  x  w) 

in 

let 

val  (Qi,Q2)  =  dia  P-i  P£ 
val  Pi  =  subst  Pi  Q\ 
val  Eo  =  subst  P 2  Q2 
in 

(EuE2) 

end 

end 

|  dia  (pbeta  (Ax  :  term  T.Xu  :  x  x.  Pi  x  w)  P2)  (papp  (plam  (Ax  :  term  T.Xu:  x  =A>  x.  P'7  x  u))  P2)  = 
let 

new  x  :  term  T,  w  :  x  x 

val  (Pi  x  w,  P2  x  w)  —  dia  (D[  x  u)  (D'{  x  u) 

in 

let 

val  (Qi,Q2)  =  dia  Pi  D\ 
val  Pi  =  subst  Pi  Q 1 
in 

(Pi, pbeta  P2  Q2) 

end 

end 

|  dia  (plam  (Ax  :  term  T. Xu  :  x  x.  Pi  x  w))  (plam  (Ax  :  term  T.Xu  :  x  x. PJ  x  w))  = 

let 

new  x  :  term  T,u  :x  =>  x 

val  (Pi  xu.Pzxu)  —  dia  (Pi  x  w)  (Pi  x;  w) 

in 

(plam  Pi,  plam  P2) 

end 

|  dia  (papp  (plam  (Ax  :  term  T.  Aw  :  x  x. P'/  x  w))  P2)  (pbeta  (Ax  :  term  T.Xu  :  x  x.  Pi  x  w)  Pi)  = 

let 

new  x  :  term  T,  w  :  x  x 

val  (Pi  x  w,  P2  x  w)  =  dia  (D[l  x  u)  (P[  x  w) 

in 

let 

val  (QuQy)  =  dia  Dl2  P2 
val  P2  =  subst  P2  Q2 
in 

(pbeta  Pi  Qi,P2) 

end 

end 

|  dia  (papp  D[  D-2)  (papp  D\  Dr2)  = 
let 

val  (Pu  P2)  =  dia  D[  D\ 
val  (Qi,  Qi)  =  dia  Dl2  Dr2 

in 

(papp  Pi  Qi,papp  P2  Q2) 

end 


Figure  4.4:  Formal  proof  of  the  diamond  Lemma  3.7 
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fun  strip  Dl  pid  =  (pid,  Dl) 

|  strip  Dl  (pstep  D\  DJ)  = 
let 

val  (Pi,P2)  =  dia  D1  D\ 
val  (P3,  E2)  =  strip  P2  P2 
in 

(pstep  Pi  P3 ,  E'i) 

end 


Figure  4.5:  Formal  proof  of  the  strip  Lemma  3.8 


Proof: 

•  termination  order  is  a  subterm  order  on  Dr 

•  with  an  empty  parameter  context 

Figure  4.5  shows  the  formal  proof.  □ 

The  confluence  lemma,  a  generalization  of  the  strip  lemma,  by  allowing  both  given  reductions 
to  be  multi-step  reduction,  relies  on  the  strip  lemma  in  its  proof  as  the  reader  might  recall  from 
Section  3.2.3. 

Lemma  4.8  (Confluence  lemma,  formalized) 


Let  4>  be  the  dynamic  extension  of  the  world.  If  V 1  ::  e  =>  el  and  Vr  :: 
e  ==^>  er  then  there  exists  a  com, man  redact  e* ,  such  that  7Z[  ::  el  =$>  e! 
and  n2  ::  er  =>  e! . 

CkVT  :  tp. \/E  :  termT.^E1  :  term.T.^E1'  :  termT. 

VD1  :E  =>  El.\/Dr  :E  ^  Er. 

3 E'  :  term  T.  3Rl  :  El  E! .  3Rr  :  Er  Ef .  T 


Proof: 

•  termination  order  is  a  subterm  order  on  D 1 

•  with  an  empty  parameter  context 

Figure  4.6  shows  the  formal  proof.  □ 

In  the  proof  of  the  Church- Rosser  theorem,  all  our  results  so  far  flow  together.  The  interesting 
case  is  transitivity:  Two  appeals  to  the  induction  hypothesis,  one  application  to  the  confluence 
lemma,  and  finally  two  appeals  to  the  transitivity  lemma  for  parallel  reduction  conclude  that 
any  two  parallel  convertible  terms  have  a  common  reduct. 
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fun  conf  pid  Dr  =  (Pr,  pid) 

|  conf  (pstep  D[  Dl2)  Dr  = 
let 

val  (Pi,  P2)  =  strip  D[  Dr 
val  (Pi ,  P3)  =  conf  D2  Pi 
in 

(Pi, pstep  P2  P3) 

end 


Figure  4.6:  Formal  proof  of  the  confluence  Lemma  3.9 


fun  cr  (pred  D\ )  =  (Pi ,  pid) 

|  cr  (pexp  Pi)  =  (pid,  Pi) 

|  cr  (ptrans  Pi  P2)  = 

let 

val  (Pi,  P2)  =  cr  Pi 
val  (P3,  Pa)  =  cr  P2 
val  (Qi,  Q2)  =  conf  P2  P3 
val  Pi  =  partrans  Pi,  Q\ 
val  E-2  =  partrans  P2,  Q2 
in 

(EUE2) 

end 


Figure  4.7:  Formal  proof  of  the  Church-Rosser  Theorem  3.10  for  parallel  reduction 

Theorem  4.9  (Church-Rosser  theorem  for  parallel  reduction,  formalized) 


Let  4>  be  the  dynamic  extension  of  the  world.  If  V  ::  el  <==>  er  then  there 
exists  a  common  reduct  e* ,  such  that  IZ\  ::  el  e 7  and  H2  ::  er  =>  ef . 


□  ‘.VT  :  tp.VE1  :  termT.VE r  :  termT. 

V£>  :  El  ^  Er. 

3 E'  :  term  T.  3Rl  :  El  ^  Ef.  3Rr  :  Er  Ef.  T 


Proof: 

•  termination  order  is  a  subterm  order  on  D 

•  with  an  empty  parameter  context 

Figure  4.7  shows  the  formal  proof.  □ 

This  concludes  our  presentation  of  the  formalization  of  meta-theorems  and  meta-proofs  re¬ 
lated  to  ordinary  and  parallel  reductions.  One  could  continue  with  the  presentation  of  the  proofs 
of  Lemma  3.11-3.14  from  Section  3.2.4  and  the  interested  reader  is  invited  to  do  so,  but  we  prefer 
to  leave  them  to  the  automated  theorem  prover,  which  will  be  presented  in  Chapter  8. 
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4.2.  METHODOLOGY 


4.2.3  More  on  Meta-Theorems 

The  formalization  techniques  motivated  in  the  previous  chapter  are  not  complete.  We  have 
omitted  two  important  techniques,  which  we  discuss  in  this  section. 

First,  note  that  all  parameter  contexts  presented  in  the  previous  section  were  generated  by 
at  most  one  block  schema.  This  is  not  always  the  case.  In  general,  context  schemas  consist  of 
many  block  schemas,  which  makes  it  necessary  to  label  different  parameter  blocks  in  a  param¬ 
eter  context  in  order  to  reconstruct  which  context  block  is  an  instance  of  which  block  schema. 
In  particular,  when  we  extend  the  simply  typed  A-calculus  by  polymorphism  we  also  have  to 
generalize  the  induction  hypothesis  of  the  entire  sequence  the  theorems  accordingly. 

Second,  there  are  many  theorems  which  must  be  proven  by  mutual  induction.  All  theorems 
from  the  previous  section  were  provable  on  their  own  without  mutually  relying  on  any  other 
lemma.  Consider  for  example  the  reflexivity  result  for  a  normalized  version  of  the  simply- 
typed  A-calculus,  where  we  distinguish  between  atomic  and  canonical  forms.  The  definition  of 
canonical  forms  relies  on  the  definition  of  atomic  forms,  and  this  circularity  must  be  reflected 
in  the  meta-logic. 

Context  schemas 

Context  schemas  inductively  and  abstractly  describe  all  admissible  parameter  contexts.  In  the 
previous  section  we  have  encountered  one  form  of  a  context  schema  which  is  described  by  one 
block  schema:  “SOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  ==>  x" .  In  general,  one  block  schema 
is  not  enough,  since  parameters  can  be  introduced  anywhere  into  the  proof,  and  they  may  not 
always  look  the  same.  In  order  to  demonstrate  this  effect,  we  slightly  extend  our  version  of 
the  simply-typed  A-calculus  from  Figure  2.2  by  polymorphism.  On  the  type  level,  we  add  type 
variables  a  and  a  type  quantifier  Va.r  which  binds  all  free  occurrences  of  the  type  variable  a  in 
r.  The  following  extends  the  definition  of  types  from  Section  2.2. 

Types:  r  ::=  . . .  |  a  |  Va.r 

Those  new  types  can  be  adequately  represented  using  higher-order  abstract  syntax,  which  means 
in  this  context  that  type  variables  are  represented  by  LF  variables:  ran  =  o. 

all  :  (tp  — ■»  tp)  — >  tp 

The  changes  in  the  type  system  reflect  on  the  syntactic  category  of  terms  in  a  natural  way. 
On  the  one  hand,  there  are  polymorphic  terms  which  expect  a  type  as  argument  in  order  to 
specialize  the  type  of  the  body.  And  on  the  other  hand,  there  is  an  application  operator  which 
applies  polymorphic  terms  to  types  and  hence  executes  the  specialization. 

Terms:  e  . . .  |  An.e  |  e  •  r 

The  term  Aa.e  is  well-typed  of  type  Va.r,  if  e  is  well-typed,  assuming  a  as  a  new  type,  and  e  •  r' 
is  well- typed  of  type  t[t' /a]  if  e  has  type  Va.r  and  r'  is  a  type.  As  one  might  already  suspect, 
this  extended  notion  of  terms  can  be  adequately  represented  in  the  logical  framework. 

tlam  :  (lie  :  tp.  term  (T  a))  — »  term  (all  (Aa  :  tp.  T  a)) 

tapp  :  term  (all  (Aa  :  tp.  T]  a))  ->  nT2  :  tp.  term  (all  (Aa  :  tp.  T\  a)  T2) 
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Finally,  we  extend  the  parallel  reduction  relation  from  Section  3.2.2  with  reduction  rules  for 
type  abstraction  and  type  application.  The  rules  are  entirely  straightforward. 

1  x  f  1  / 

e  =>  e  e  =>.  e 

- ptlam  . - ptapp 

A a.e  ==>  A a.e'  e  ■  r  =»  el  ■  r 

In  addition,  they  can  be  adequately  represented  in  the  logical  framework. 

ptlam  :  (no  :  tp.  E  a  E'  a) 

— >  tlam  (A a  :  tp.  E  a)  tlam  (A a  :  tp.  E'  a) 

ptapp  :  E  E' 

— >  tapp  E  T  tapp  E1  T 

This  concludes  the  presentation  of  an  polymorphic  extension  of  the  simply  typed  A-calculus. 
After  extending  it,  one  has  to  verify  that  the  series  of  lemmas  leading  to  the  Church-Rosser 
theorem  still  hold.  They  could  be  invalidated  by  extending  the  underlying  deductive  systems, 
and  indeed  they  are.  Already  the  first  theorem,  namely  the  reflexivity  property  of  the  parallel 
reduction  relation  (Lemma  3.4)  does  not  hold  anymore.  Why  not?  In  the  original  version  of  the 
lemma  we  assumed  the  context  to  be 

Xi  ::  term  t\,u\  ::  x\  rj, . . . , xn  ::  term  rn,  un  ::  xn  =^>  xn  (4.2) 

But  this  is  not  enough  in  order  to  prove  reflexivity  for  the  polymorphic  parallel  reduction.  In 
the  ptlam  case,  we  have  to  traverse  a  A-binder  that  binds  a  type  variable  a!  But  this  assumption 
does  not  fit  into  the  overall  structure  of  the  assumption  list  (4.2).  In  general,  we  might  assume 
the  presence  of  several  type  variables: 

ai  ::  tp,  ...,am  ::  tp  (4.3) 

Assumption  lists  (4.2)  and  (4.3)  may  be  arbitrarily  interspersed  while  still  respecting  parameter 
block  boundaries.  When  formalizing  the  generalized  version  of  the  reflexivity  lemma,  we  must 
provide  for  these  additional  assumptions  by  adding  a  new  block  schema,  in  this  case  BLOCK  a  : 
tp,  to  the  context  schema. 

Lemma  4.10  (Reflexivity  theorem  for  polymorphic  parallel  reduction,  formalized) 


=  DSOME  T  :  tp.  BLOCK  x  :  termT,u  :  x  cc|BLOCK  a  :  tp. 
VT  :  tp.VE  :  term  T.3D  :  E  =^>  E.T 
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Therefore,  context  schemas  are  defined  as  a  list  of  block  schemas,  and  in  order  to  identify 
different  occurrences  of  parameter  blocks  as  instances  of  the  same  block  schema,  we  assign  a 
necessarily  unique  label  to  each  block  schema.  The  first  context  block  is  labeled  Lj,  and  the 
second  is  labeled  L2* 

□  (SOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  =4  x)L 1  |  (BLOCK  a  :  tp)''2. 

VT  :  tp.  VE  :  term  T.3D  :  E  =4>  E.T 

This  concludes  the  discussion  on  more  complex  context  schemas.  We  continue  with  a  brief 
overview  about  mutually  dependent  meta-theorems. 

Mutually  dependent  meta-theorems 

We  say  that  two  or  more  met  a- theorems  are  mutually  dependent,  if  none  of  them  can  be  proved 
without  the  others.  Mutually  dependent  theorems  occur  frequently  in  the  formal  theory  of 
programming  languages  and  logics.  Often  they  are  needed  if  the  argument  proceeds  by  induc¬ 
tion  over  the  derivation  of  a  judgment  (or  several,  depending  on  the  termination  order)  which 
mutually  depends  on  another.  Consider  for  example  our  definition  of  canonical  forms  from  Sec¬ 
tion  2.4.3.  Canonical  forms  are  defined  in  terms  of  atomic  forms,  and  atomic  forms  are  defined 
in  terms  of  canonical  forms. 

Below  we  define  canonical  forms  for  the  simply-typed  A-calculus  (without  dependencies).  In 
this  setting  proving  some  property  P  for  canonical  forms  typically  requires  another  property  Q 
to  be  proven  for  atomic  forms.  Consider  for  example,  the  proof  that  canonical  forms  enjoy  the 
reflexivity  property;  it  is  also  necessary  to  show  that  this  property  holds  for  atomic  forms. 

We  omit  the  informal  presentation  of  canonical  and  atomic  forms  and  instead  simply  describe 
their  representation  in  LF.  There  are  two  type  families  can  and  atm  which  represent  well- typed 
canonical  and  well-typed  atomic  forms. 

can  :  tp  ->  type 
atm  :  tp  — »  type 

Using  these  two  type  families,  application  and  A-abstraction  are  easily  represented,  and  for 
coercion  purposes,  there  is  a  rule  very  similar  to  canatm. 

eapp  :  can  (T2  arrow  T\ )  — >  atm  T2  — *  atm  T\ 
elam  :  (atm  T\  — >  can  T2)  — >  can  (7j  arrow  T2) 
eca  :  atm  T  — >  can  T 

Intuitively,  each  closed  canonical  term  is  well-typed.  As  expected  this  lemma  cannot  be 
proven  directly.  First,  it  must  be  generalized  to  account  for  closed  atomic  terms,  which  are 
clearly  well-typed,  too.  But  this  is  still  not  enough.  When  reasoning  inductively  about  canonical 
forms,  one  notices  quickly  that  terms  may  be  open  with  respect  to  a  set  of  atomic  well-typed 
variables. 

Lemma  4.11  (Embedding)  Consider  the  situation  where  a  list  of  the  following  assumptions 
is  present 

x\  ::  atm  ri,j/i  ::  term,  ti,  . . .  ,xn  ::  atm  rn,  yn  ::  term,  rn 
•  Every  canonical  form  ec  is  well-typed 
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•  Every  atomic  form  ea  is  well-typed 

Proof:  by  mutual  induction  over  ea  and  ec.  □ 

In  our  meta- logic,  this  theorem  is  formalized  by  using  conjunction. 

Lemma  4.12  (Embedding  (formalized)) 

□  SOME  T  :  tp.  BLOCK  x  :  atm  T,  y  :  term  T. 

(VT  :  tp.  VEC  :  can  T.  3E '  :  term  T.  T)  A  (VT  :  tp.  VEa  :  atm  T .  3 Ef  :  term  T.  T) 

But  how  can  we  guarantee  termination  of  the  recursive  function  corresponding  to  the  proof  of 
this  theorem?  In  order  to  answer  this  question,  we  have  to  generalize  the  notion  of  termination 
orders.  From  an  abstract  point  of  view,  the  realizer  formalizing  the  first  and  the  second  part 
of  the  theorem  call  each  other  recursively.  In  order  to  ensure  termination,  we  must  guarantee 
that  the  argument  to  the  functions  always  decreases  in  size  according  to  some  well-founded 
measure.  Recall,  that  in  this  thesis  the  measure  of  choice  is  the  subterm  relation.  Specifically, 
when  the  function  representing  the  first  part  calls  the  other  with  some  Ea ,  we  always  enforce 
Ea  to  be  a  subterm  of  the  original  argument  term  Ec,  Similarly,  when  the  second  function  calls 
the  first  with  argument  Ec ,  Ec  must  be  smaller  than  or  equal  to  the  initial  argument  Ea.  This 
termination  order  is  expressed  formally  as  (Ec  Ea).  Note  that  there  is  an  important  difference 
between  a  termination  order  which  expresses  simultaneous  induction  [Dl  Dr]  as  in  the  proof  of 
the  diamond  Lemma  4.6,  for  example,  and  the  one  for  mutual  induction. 

Proof:  of  Lemma  4.12 

•  termination  order  is  a  subterm  order  on  (Ec,  Ea) 

•  using  context  schema  “SOME  T  :  tp.  BLOCK  x  :  atm  T,  u  :  term  T” 

Figure  4.8  shows  the  formal  proof.  □ 

We  conclude  this  subsection  with  a  final  remark  about  applying  the  induction  hypothesis  un¬ 
der  a  local  extension  of  the  parameter  context.  In  the  formalization  of  the  reflexivity  Lemma  3.4 
for  parallel  reduction,  we  extend  the  regular  world  (or  formally  the  parameter  context)  by  two 
new  parameters  before  we  apply  the  induction  hypothesis.  First,  we  assumed  that  x  is  a  term 
of  type  rri“1,  and  second  that  it  reduces  in  parallel  to  itself:  x  =>  x.  After  appealing  to 
the  induction  hypothesis,  or  functionally  speaking,  after  calling  the  function  refl  recursively 
we  obtained  a  new  derivation  P  xu,  which  had  to  be  abstracted  to  the  correct  context.  Equa¬ 
tion  (4.1)  provided  us  with  the  correct  insight,  that  a  hypothetical  judgment  is  being  represented 
as  function  type  in  LF. 


V 

ef  e'  =  :  term  rr{ 1.  Uu  :  x  x.  ( Ef  x)  (E'  x) 

In  the  formalization  of  the  embedding  Lemma  4.11,  we  only  used  one  of  the  two  parameters 
ux  :  atm  Ti,y  :  term  Ti”  to  conclude  that  “Ef  :  term  T\  — >  term  iy\  If  we  had  not  omitted  x , 
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fun  embedding0  (eapp  Ec  Ea)  = 
let 

val  Ei  =  embedding0  Ec 
val  E-2  ~  embedding0  E° 
in 

app  E\  E-2 

end 

and  embedding0  (elam  (Xx  :  atm  T\.  Ec  x))  = 
let 

new  x  :  atm  T\ ,  y  :  term  Tj 

val  E'  y  =  embedding0  ((A.r  :  atm  T\ .  Ec  x)  x) 

in 

lam  Ef 

end 

|  embedding0  (era  En)  = 

let 

val  E'  =  embedding0 
in 
E' 
end 


Figure  4.8:  Formal  proof  of  the  embedding  Lemma  4.11  for  parallel  reduction 


E1  would  have  the  type  “atm  T\  ->  term  T\  -¥  term  T2’ ’  and  consequently  it  is  impossible  to 
apply  lam  to  E'  in  order  to  close  the  proof  branch.  But  note:  By  typing  reasons  we  can  infer 
from  the  signature  that  it  is  impossible  that  E'  ever  depends  on  x.  Therefore,  we  can  strengthen 
the  type  of  E'  by  omitting  “atm  Tj”.  On  the  other  hand  if  E'  contained  an  occurrence  of  x,  x 
would  surely  escape  its  scope,  and  destroy  the  adequacy  of  encoding  for  terms. 

How  can  we  mechanize  the  decision  when  to  omit  The  answer  to  this  question  requires 
a  careful  analysis  of  the  signature:  It  follows  by  inspection  that  “term”  and  “atm”  are  defined 
entirely  independent  from  each  other,  i.e.  no  object  of  type  atm  T  for  any  arbitrary  T  can 
contain  an  object  of  type  term  T',  and  vice  versa.  We  say  that  a  type  family  a-j  depends  on 
another  type  family  a  \ .  if  objects  of  ai  can  be  subterms  of  objects  in  u  >.  or  —  synonymously 
—  ai  is  subordinate  to  a2.  This  relation  on  type  families  is  called  dependency  or  subordination 
relation  in  the  literature  and  has  been  introduced  by  Rohwedder  [Roh96]  and  thoroughly  studied 
by  Virga  [Vir99].  In  order  not  to  clutter  the  presentation  of  the  meta- logic,  we  postpone  the 
issue  of  subordination  until  Section  6.2.2. 


4.3  Overview  Of  This  Thesis 

A  met  a- logical  framework  serves  a  number  of  important  purposes:  First,  it  allows  system  devel¬ 
opers  to  formalize  their  designs  and  cast  them  into  a  machine  interpretable  language.  Second, 
it  provides  a  language  to  express  properties  about  these  designs,  and  third  it  implements  the 
necessary  technology  to  verify  these  properties. 

In  this  work,  we  have  committed  to  the  logical  framework  LF  [HHP93]  as  representation 
language.  We  believe  that  it  is  currently  the  best  representation  language  for  our  work  since 
we  are  mainly  interested  in  formal  systems,  such  as  programming  languages,  logics,  and  type 
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systems.  What  makes  LF  the  framework  of  choice  is,  that  it  permits  elegant  and  adequate 
encodings  of  deductive  systems  using  higher-order  representation  techniques  and  dependent 
types.  Judgments  are  represented  as  types  and  deductions  as  objects. 

One  of  the  main  contributions  of  this  thesis  to  extend  LF  to  a  meta-logical  framework.  We 
observe,  that  the  majority  of  properties  about  programming  languages  and  logics  are  proven  by 
induction,  in  particular  all  the  properties  in  the  previous  chapter.  The  goal  of  this  work  is  the 
design  of  the  meta-logic  that  can  formalize  the  meta-theory  of  deductive  systems. 

Finally,  we  develop  tools  for  automated  reasoning  in  this  thesis.  Designing,  developing, 
implementing,  enhancing,  and  verifying  the  design  of  formal  systems  is  a  very  tedious  and  time 
intensive  endeavor.  In  order  for  a  meta-logical  framework  to  be  a  useful  tool,  it  must  support 
and  automate  the  user’s  task. 

More  concretely,  in  this  thesis  we  develop  a  two-layer  meta-logical  framework.  Based  on  LF 
we  develop  a  meta-logic  in  Chapter  5  that  is  expressive  enough  to  formalize  interesting 
properties  about  programming  languages,  logics  and  type  system.  It  is  an  intuitionistic  logic, 
that  defines  a  language  of  formulas  useful  to  formalize  properties,  and  a  language  of  proof  terms, 
witnessing  the  derivability  of  a  property.  What  distinguishes  from  other  logics  is  the  ability 
over  higher-order  encodings  of  deductive  system  relying  on  the  regular  world  assumption. 

Unlike  standard  inductive  theorem  provers  that  rely  on  the  closed  world  assumption, 
allows  dynamic  but  regular  extensions  of  the  world.  Under  the  closed  world  assumption  the  set 
of  constructors  for  a  particular  inductively  defined  datatype  is  statically  fixed  a  priori.  However 
under  the  regular  closed  world  assumption  it  can  be  dynamically  extended  by  new  constructors 
during  a  proof. 

The  regular  world  assumption  is  sound,  because  from  the  property  of  LF  that  canonical 
form  are  inductively  defined,  we  can  infer  that  any  recursive  function  that  is  valid  in  is 
a  realizer.  For  examples  refl,  subst,  dia,  strip,  conf,  and  cr  are  all  derivable  in  and 
they  are  realizers.  In  order  to  make  the  soundness  argument  formal,  we  specify  an  operational 
semantics  for  in  Chapter  6,  and  in  Chapter  7  we  show  that  each  function  derivable  in 
is  total. 

We  also  present  some  automated  deduction  algorithms  in  Chapter  8  that  have  been  im¬ 
plemented  in  the  Twelf  system.  In  fact  Twelf  contains  a  working  meta-theorem  prover 
(http://www.twelf.org)  that  can  prove  all  the  theorems  we  have  shown  in  the  previous  sec¬ 
tions  and  chapters.  The  theorem  prover  works  mostly  automatic;  all  that  is  required  is  the 
proper  formulation  of  the  induction  hypothesis,  a  termination  order,  and  a  number  which  limits 
the  search  space  when  Twelf  is  constructing  a  witness  object  to  close  a  proof  subgoal. 

.  Twelf  has  been  used  in  many  experiments.  In  logic  for  example,  Twelf  has  been  successfully 
applied  to  derive  the  cut-elimination  results  for  full-first  order  intuitionistic  and  full  first-order 
classical  logic  [Pfe95].  In  logic  programming,  it  has  been  used  to  show  that  the  fragment  of 
hereditary  Harrop  formulas  implemented  in  A-Prolog  [NM88],  proof  search  for  uniform  deriva¬ 
tions  and  resolution  are  equivalent.  It  also  derived  the  same  property  for  the  Horn  fragment 
of  predicate  logic.  In  the  area  of  functional  programming,  Twelf  was  used  to  show  that  the 
operational  semantics  of  Mini-ML,  an  ML  dialect  without  exceptions,  references  and  modules, 
preserves  types.  In  addition,  it  derived  a  completeness  result  for  compiling  Mini-ML  programs 
into  a  continuation  based  transition  machine  CPM  [FSDF93].  Most  proofs  could  be  found  in  a 
few  seconds,  for  other  some  Twelf  needed  more  time. 
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4.4  Related  Work 

In  the  last  few  decades  it  has  been  realized  that  type  theory  is  an  appropriate  formalism  for 
the  representation  of  propositions  and  proofs.  After  the  discovery  of  the  Curry-Howard  isomor¬ 
phism  [How80],  it  has  become  common  practice  to  represent  proposition  as  types,  and  express 
derivability  by  the  existence  of  objects.  In  particular,  it  guarantees  that  propositional  natural 
deduction  derivations  [Pra65]  can  be  represented  as  A-terms  in  the  simply-typed  A-calculus. 

Thereafter  many  type  theories  were  developed,  arguably  the  most  influential  being  Martin- 
Lof’s  type  theory  [ML80].  Most  importantly,  it  demonstrated  how  dependent  types  and  an 
equality  relation  can  be  used  to  adequately  represent  judgments  and  derivations  in  a  formal 
framework.  Martin-Lof’s  type  theory  eventually  led  to  the  development  of  the  NuPRL  system 
[C+86],  and  it  is  implemented  in  ALF  [Mag95], 

There  has  been  a  whole  series  of  different  systems,  following  this  tradition,  among  others  the 
Isabelle  system  [Pau94]  based  on  the  simply- typed  A-calculus,  the  Coq  system  [DFH+93],  which 
is  based  on  the  calculus  of  constructions  [CH88],  and  the  Lego  system  [LP92],  which  is  based  on 
a  refined  version  of  the  calculus  of  constructions.  A  more  detailed  discussion  about  these  these 
systems  and  logical  frameworks  in  general  can  be  found  in  [Pfe99]. 

All  these  systems  are  very  similar  in  nature.  One  logical  framework  makes  use  of  polymor¬ 
phism,  the  other  of  type  constructors.  Many  of  these  systems  provide  the  facilities  to  reason  by 
induction.  But  in  all  cases,  the  underlying  assumption  is  that  the  world  is  closed.  Consequently, 
higher-order  encodings  as  we  use  them  in  this  thesis  are  not  directly  expressible  in  any  of  these 
systems,  and  therefore,  none  of  the  systems  can  express  proofs  as  elegantly  as  we  have  presented 
them  in  this  chapter. 

In  order  to  rectify  this  inefficiency,  many  of  the  systems  have  introduced  inductive  datatypes 
to  which  induction  principles  are  associated.  In  general,  it  has  been  accepted  that  the  negativity 
condition  associated  with  the  inductively  defined  datatypes  (as  shown  in  Section  4.1)  is  unavoid¬ 
able.  Therefore  higher-order  representation  techniques  have  hardly  been  used,  and  alternative 
first-order  encodings  have  been  chosen.  A  common  way  to  represent  variables  for  example  is  the 
use  of  de  Bruijn  indices  or  integers. 

The  main  drawback  of  first-order  representation  techniques  is  that  they  are  not  very  elegant. 
They  do  not  exploit  the  type  theory  in  order  to  define,  represent,  and  execute  substitutions, 
instead,  everything  that  has  to  do  with  substitutions  must  be  explicitly  encoded  and  proven 
correct.  One  can  think  of  higher-order  representations  as  alive  since  they  can  change  their 
shape  due  to  internal  /^-reductions,  whereas  first-order  representations  are  dead,  since  every 
reduction  operation  must  be  defined  outside  the  logical  framework1. 

This  way,  the  original  calculus  of  construction  [CH88]  has  been  extended  to  the  inductive 
calculus  of  construction  [PM93]  which  is  now  used  as  the  formal  basis  for  Coq,  and  Isabelle, 
Lego,  and  ALF  all  allow  inductive  definition  given  that  the  positivity  condition  is  satisfied. 

On  the  other  hand,  the  LF  type  theory  does  not  contain  a  concept  of  inductive  datatypes. 
As  already  discussed,  the  recursive  functions  space  implicitly  associated  with  with  the  elimina¬ 
tion  rule  of  inductive  definitions  is  inherently  incompatible  with  the  parametric  function  space 
provided  by  LF  (see  Section  2.6),  and  the  Elf  project  [Pfe89]  has  taken  the  stand  for  higher-order 
representation  techniques  and  against  inductive  datatypes.  LF  is  a  very  elegant  tool  to  represent 
deductive  systems,  but  it  lacks  a  general  theory  to  represent  meta-theory  adequately. 

1  Tliis  analogy  is  due  to  Henk  Barendregt 


96 


CHAPTER  4.  META-LOGICAL  FRAMEWORKS 


97 


Even  though  Elf  does  not  provide  a  recursive  function  space,  its  operational  semantics  im¬ 
plicitly  defines  recursive  relations.  Specifically,  recursive  functions  which  lie  in  the  Il2-fragment 
can  be  encoded  in  Elf  as  relations  [Pfe89].  Each  relation  relates  the  universally  quantified  as¬ 
sumptions  (read  as  input  arguments)  to  the  existentially  quantified  assumptions  (read  as  output 
arguments).  The  relation  is  representable  as  LF-signature,  and  executable  via  a  logic  program¬ 
ming  interpretation.  As  example  we  present  an  encoding  of  Lemma  3.5  as  a  recursive  function 
which  maps  two  derivations  V  ::  e  —4  e'  and  £  ::  e'  -4  e"  to  a  derivation  V  ::  e  —4  e". 
The  function  is  being  represented  as  relation 

trans  rVin  rV2n  rVn 

which  is  encoded  as  type  family.  The  first  two  arguments  must  be  interpreted  as  input  arguments, 
and  the  last  as  output  argument.  We  omit  that  E,  E',  and  E"  are  also  treated  as  input 
arguments,  since  also  the  Elf  type  reconstruction  algorithm  infers  this  information  itself. 

trans 

transrid 
transrstep 

Obviously,  from  the  point  of  view  of  LF,  this  is  not  the  encoding  of  a  function,  it  is  a  sequence 
of  constant  declarations!  The  semantics  of  ordinary  parametric  functions,  given  by  the  (3-  and 
//-rule,  is  not  enough  to  establish  an  operational  semantics  of  a  function  represented  this  way. 
Therefore,  LF-signatures  have  been  equipped  with  a  logic  programming  interpretation,  which 
assigns  an  operational  meaning  to  ->  and  II  [Pfe89]  that  interprets  each  declaration  in  the 
signature  as  applicable  if  the  head  is  unifiable.  This  way,  a  query  of  the  form  “trans  rid  rid  P" 
can  be  executed,  and  the  value  being  returned  is  the  constant  “rid”  bound  to  the  variable  P. 
The  reader  is  invited  to  consult  [PfeOO]  for  a  large  collection  of  more  examples. 

Because  of  this  external  interpretation  of  a  signature  as  a  program,  recursive  functions  can 
represented  in  LF.  But  do  these  declarations  necessarily  represent  proofs?  The  answer  is  clearly 
no!  To  represent  a  proof  the  recursive  functions  must  be  total,  i.e.  their  evaluation  will  always 
make  progress  and  eventually  terminate.  But  this  property  is  not  enforced,  neither  by  the  type 
system  of  LF  nor  by  the  definition  of  the  operational  semantics  itself.  As  a  matter  of  fact,  it  is 
very  easy  to  write  non-terminating  functions.  Adding 

infinite  :  trans  D\  D2  P 

trans  D\  D2  P 

as  first  object  constant  declaration  to  the  LF  signature,  will  cause  the  evaluation  to  loop.  Sim¬ 
ilarly,  omitting  the  rule  rid  from  the  signature  will  force  the  operational  semantics  to  get  stuck 
when  executing  “trans  rid  rid  P”,  and  the  value  of  P  cannot  be  determined. 

In  order  to  determine  that  a  type  family  represents  a  proof  one  has  to  employ  an  external 
check  for  totality,  a  procedure  to  which  we  refer  as  schema- checker.  Early  attempts  have  been 
made  to  devise  an  efficient  and  reliable  schema-checking  algorithm  by  Rohwedder  [Roh96] .  The 
formal  conditions  for  termination  (see  Section  7.2)  and  coverage  (see  Section  7.3)  can  be  used 
to  devise  an  appropriate  schema-checking  algorithm. 

It  is  inherently  difficult  to  extend  logical  frameworks  directly  with  a  parametric  function  space 
by  a  recursive  function  space  in  a  way  that  both  function  spaces  can  coexist.  We  only  know  of 


(E  -4-  E')  -»  (E1  -4  E")  -4  (E  -4  E")  type 

trans  rid  D2  D2 

trans  (rstep  D[  D ")  D2  (rstep  D[  P) 

<—  trans  D"  D2  P 
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one  successful  attempt  which  goes  back  to  Schiirmann,  Despeyroux,  and  Pfenning  [DPS97]:  the 
□-calculus  —  a  conservative  extension  of  the  simply-typed  A-calculus.  This  work  introduces  a 
new  type  □  A  that  reads  as  the  type  of  all  closed  objects  of  type  A.  Using  the  modal  operator 
and  the  parametric  function  arrow  the  recursive  function  space  A\  =>  A2  is  defined  in  the 
following  way. 

A}  =>  A‘2  =  DA\  A2 

The  D-calculus  also  provides  iteration  and  case  operators  that  provide  function  definition  by 
case  analysis  (over  any  closed  possibly  functional  object).  Specifically,  a  recursive  functions  / 
mapping  natural  numbers  to  natural  numbers  has  either  type  Dnat  — >  nat  or  type  Dnat  —>  Dnat, 
depending  if  the  result  of  an  application  of  /  should  be  used  as  argument  to  another  recursive 
function  or  not. 

The  □-calculus  is  a  very  elegant  solution  to  the  problem  of  having  a  recursive  and  parametric 
function  space  coexist  in  one  logical  framework  but  it  has  two  severe  restrictions,  which  make 
it  an  unsuitable  candidate  for  a  meta-logical  framework:  First,  it  requires  that  arguments  to 
recursive  functions  are  always  closed,  which  excludes  the  representation  of  the  proof  reflexivity 
Lemma  3.4  for  parallel  reduction  as  far  as  we  know.  Second,  it  is  only  defined  for  the  simply- 
typed  setting.  Therefore,  it  is  by  far  not  general  enough  to  be  used  as  a  meta-logical  framework. 
The  second  restriction  has  been  partially  addressed  in  the  thesis  of  Leleu  [Lel98],  where  he 
develops  an  extension  of  the  □-calculus  to  also  include  dependent  types.  But  the  first  restriction 
remains,  and  it  is  not  at  all  clear  of  how  to  extend  it  to  also  reflect  parameter  contexts  and  allow 
reasoning  about  open  terms. 

A  more  general  approach  has  been  taken  by  Miller  and  McDowell  with  their  system  FOXA1N . 
FOXain  is  a  meta-logic  based  on  an  intuitionistic  first-order  logic  extended  by  natural  number 
induction  and  definitional  reflection  [SH93b].  This  meta-logic  is  very  general,  it  is  so  general 
that  it  supports  the  representation  of  various  logical  frameworks,  for  example  the  intuitionistic 
and  linear  framework  of  hereditary  Harrop  formulas  [McD97].  The  embedded  logical  frameworks 
are  used  to  represent  deductive  systems.  In  [MM97],  McDowell  discusses  the  formalization  of 
the  type  preservation  proof  for  Mini-ML. 

FOXA1N  is  similar  to  M2  because  it  explicitly  separates  the  meta- logic  from  the  logical 
framework,  but  on  the  other  hand,  it  is  quite  different:  The  only  induction  principle  underlying 
poxA1N  is  natural  number  induction.  In  particular,  every  structural  inductive  argument  must 
be  mapped  onto  natural  numbers  which  puts  additional  strains  on  the  formulation  of  meta¬ 
theorems.  A  second  drawback  of  FOXAFs  is  the  treatment  of  parameter  contexts.  The  logic  is 
not  specific  enough  to  treat  parameter  contexts  as  special  entities.  To  the  contrary,  parameter 
contexts  and  hypothesis  must  be  explicitly  represented  as  lists  or  as  functions  as  must  the 
regularity  condition. 

In  addition,  FOXA1N  is  an  intuitionistic  logic,  without  proof  terms.  Contrary  to  our  approach 
where  we  show  soundness  of  our  meta-logic  by  guaranteeing  the  proof  terms  are  total  functions, 
McDowell  uses  a  purely  logical  argument.  He  shows  that  F0Aaa  enjoys  the  cut-elimination 
property.  Naturally,  cut-elimination  implies  consistency.  Considering  how  complicated  the  orig¬ 
inal  cut-elimination  proof  already  is  [MMOO],  the  soundness  argument  is  the  major  impediment 
when  generalizing  F0AAi7V’s  natural  number  induction  principle  to  full  structural  induction. 

FO Aaw,s  ability  to  represent  other  logical  frameworks  raises  immediately  two  questions. 
First,  which  other  logical  frameworks  are  there,  and  are  they  interesting?  And  second,  how  well 
can  M2  adopt  to  these  new  logical  frameworks.  The  answer  to  the  first  question  is  yes,  there 
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are  many  important  logical  frameworks,  and  the  answer  to  the  second  second  question  will  be 
postponed  until  Section  9.1.2. 

The  interested  reader  might  wonder  if  it  is  possible  to  develop  the  met  a- logic  in  using 
a  proof  assistant,  such  as  NuPRL  or  Coq.  The  formal  development  of  the  meta-logic  requires 
a  sound  formalization  of  LF  including  congruence  rules,  and  much  of  its  meta-theory;  it  will 
require  proofs  of  many  properties  such  as  substitution  lemmas,  the  canonical  form  theorem,  and 
many  others.  In  addition,  one  had  to  formalize  unification  and  subordination,  and  derive  their 
necessary  properties.  We  predict,  that  the  proof  search  engines  of  the  proof  assistants  will  not 
be  efficient  enough  to  perform  the  search  for  derivations  inside  the  deductive  systems  since  the 
LF  substitution  lemmas  and  canonical  form  lemmas  will  be  explicitly  and  repeatedly  applied. 
In  our  system,  we  can  exploit  the  fact  that  terms  are  alive,  they  normalize  to  their  canonical 
form  by  themselves.  However,  for  traditional  theorem  provers  terms  are  dead,  which  means  that 
it  is  the  provers  responsibility  to  return  a  result  in  canonical  form. 

In  summary,  we  believe  the  work  carried  out  in  this  thesis  cannot  be  developed  in  other  proof 
assistant  without  spending  a  significant  amount  of  time  and  energy.  Even  if  it  were  possible, 
one  cannot  expect  a  working  theorem  prover  for  free  as  result  of  the  formal  development. 

The  theorem  prover  implemented  in  Twelf  that  we  present  in  this  thesis  in  Chapter  8  works  by 
searching  for  realizers  for  a  given  formula  in  M\-  These  realizers  are  recursive  functions,  which 
can  be  executed,  and  they  compute  witness  objects  for  existential  quantifies  from  instantiations 
of  universal  ones.  In  this  sense,  Twelf  is  program  synthesis  tool  [Kre98],  that  generates  correct 
programs  in  a  not  yet  well  explored  programming  language  whose  datatype  declarations  are 
written  as  LF  signatures. 

4.5  Summary 

In  this  chapter,  we  have  demonstrated  of  how  to  formalize  meta-proofs  and  meta-theorems  in  a 
meta- logical  framework  leading  up  to  an  informal  description  of  the  meta- logic  M  J.  Conceptu¬ 
ally,  M2  lies  on  a  different  and  separate  level  above  the  logical  framework  LF.  In  particular,  it 
encompasses  universal  and  existential  quantification,  and  conjunction.  This  is  sufficient  because 
the  meta  logic  does  not  provide  any  other  atomic  constants  or  propositions  other  than  truth. 
The  meta-logic  provides  a  proof  term  calculus,  where  each  proof  term  corresponds  to  a  total 
recursive  function.  Totality  is  required  in  order  to  guarantee  soundness,  i.e.  upon  instantiation 
of  its  arguments,  the  function  must  terminate  and  return  with  an  answer. 
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Chapter  5 

The  Meta-logic  A4^ 


5.1  Introduction 

The  design  cycle  of  programming  languages,  compilers,  and  logics  is  long,  tedious,  and  error- 
prone.  In  particular,  when  extending  a  programming  language  by  new  constructs,  one  has  to 
be  very  careful  not  to  render  the  entire  system  design  unsound.  Even  worse,  an  unsoundness 
occurring  in  a  programming  language  is  sometimes  very  difficult  to  detect  by  testing,  sometimes 
it  takes  years,  and  very  often  it  is  extremely  difficult  to  rectify  since  it  involves  a  change  in  the 
language  design. 

The  earlier  mistakes  in  the  development  of  a  programming  language  are  caught,  the  better 
the  final  result  is.  During  the  early  design  stages,  adjustments  to  a  language  need  not  to  be 
local,  they  might  and  often  will  be  global.  In  general,  it  is  impossible  to  remove  all  flaws  from 
a  programming  language  already  at  the  drawing  board,  but  experience  has  shown,  that  many 
flaws  could  be  avoided  by  checking  the  design  against  certain  a-priori  defined  specifications,  such 
as  type  soundness,  progress,  and  others. 

Consider  for  example  the  untyped  A-calculus,  a  very  simple  functional  programming  lan¬ 
guage,  from  Chapter  2.  From  [CR36]  we  learned  that  the  diamond  lemma  and  the  Church- Rosser 
theorem  holds  for  this  language.  What  about  extending  it  to  the  simply-typed  case?  All  we  had 
to  do  is  to  edit  the  sequence  of  theorems,  by  indexing  all  occurrences  of  “term”  by  a  type.  Next, 
we  refined  it  to  the  polymorphic  A-calculus,  and  again  we  had  to  slightly  generalize  the  formu¬ 
lation  of  the  lemmas,  this  time  by  extending  the  context  schemas  (for  example  Lemma  4.10). 
This  example  shows  of  how  we  envision  users  working  with  our  tool.  It  serves  the  incremental 
development  of  programming  languages  and  their  theory  while  offering  sophisticated  verification 
procedures. 

In  this  chapter  however,  we  begin  with  a  formal  presentation  of  the  meta-logic  which  is  at 
the  very  heart  of  this  thesis.  Its  purpose  is  to  express  specifications  about  deductive  systems. 
We  develop  an  appropriate  proof  system  based  on  the  sequent  calculus,  for  which  we  develop  an 
automated  proof  search  procedure  in  Chapter  8.  The  meta-logic  is  called  and  it  supersedes 
an  earlier  versions  that  were  published  for  example  in  [Sch95,  SP98].  Unlike  Af2  that  relies  on 
the  closed  world  assumption,  relies  on  the  regular  world  assumption. 

This  chapter  is  organized  in  the  following  way.  In  Section  5.2  we  introduce  a  notion  of 
substitution  for  LF  (see  Section  2.4)  since  we  will  use  substitutions  from  early  on,  and  they 
will  occur  in  different  shapes  over  and  over  in  this  chapter.  Using  the  notion  of  substitution 
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we  start  with  the  presentation  of  the  logic,  its  syntax  and  semantics  in  Section  5.3,  followed 
by  a  formal  inference  system,  based  on  extensions  to  the  sequent  calculus  in  Section  5.4.  In 
Section  5.5  we  endow  the  inference  rule  system  with  proof  terms,  constructed  in  such  a  way  that 
they  can  be  used  to  represent  (non-inductive)  meta-proofs.  In  Section  5.6  we  extend  the  proof 
term  calculus  by  constructs  for  recursion,  which  allow  the  formalization  of  meta-proofs  carried 
out  via  induction  and  we  add  lemmas  in  Section  5.7.  In  Section  5.8  we  conclude  this  chapter, 
and  assess  the  results. 

5.2  Preliminaries 

Variables  and  substitutions  are  two  closely  related  concepts.  In  fact,  in  Chapter  2  we  have  used 
substitutions,  for  example,  for  the  definition  of  the  /3-rule  for  the  untyped,  the  simply- typed, 
and  even  the  dependency  typed  A-calculus.  Be  it  in  a  formal  development,  or  in  a  theorem 
prover  implementation,  or  even  in  the  design  of  a  programming  language  or  logic,  the  treatment 
of  variables  is  very  difficult  to  get  right.  Since  the  use  of  higher-order  abstract  syntax  makes 
heavy  use  of  the  variable  concept  of  the  logical  framework,  variables  and  substitutions  are  the 
backbone  of  this  development  and  hence  deserve  extremely  careful  attention.  Specifically,  LF 
substitutions  are  defined  as  a  list  of  object/variable  pairs  M/x  where  x  is  the  variable  to  be 
instantiated,  and  M  an  object  which  is  well-defined  in  some  context  T. 

Substitutions:  a  ::=  •  |  <7,  M/x 

In  this  work  we  follow  standard  practice,  and  allow  only  valid  substitutions  to  be  applied  to 
valid  terms.  Because  contexts  contain  explicit  type  information,  validity  can  be  easily  expressed 
as  a  static  property  of  substitutions. 

Judgment 


Valid  substitutions:  T2  F  o  :  T\ 

We  say,  that  “a  substitution  a  goes  from  to  T2” ,  which  means  that  —  when  applied  —  it 
substitutes  objects  valid  in  for  variables  declared  in  IY  We  refer  to  as  the  domain  of  the 
substitution,  and  to  I^  as  the  co-domain. 

Rules 


r  2  F  M  :  A[a\  T2Va:  Ifi 

- subempty  - subcons 

r  h  •  :  .  r2  h  a, M/x  :  Tux  :  A 

Note  that  M  has  type  A[a]  in  the  first  premiss  of  rule  subcons,  where  A[a\  is  the  type  one 
obtains  from  A  by  applying  the  substitution  a.  Without  going  into  detail  of  how  substitution 
application  is  defined  for  LF,  we  always  assume  that  substitutions  can  be  applied  to  LF  types, 
LF  objects,  or  LF  kinds  if  they  are  valid  in  the  domain  of  the  substitution,  a  can  be  applied  to 
A:  because  T2  F  a  :  Ty  and  Ti  F  A  :  type. 

A  similar  comment  holds  for  the  composition  of  substitutions.  A  substitution  a \  can  only 
be  composed  with  a2  if  o\  s  co-domain  and  o2s  domain  coincide.  Formally  this  is  expressed  by 
r 3  F  02  :  T2  and  T2  F  o\  :  T\.  Substitutions  composition  is  written  as  h  o  cr2  :  Ifi. 
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Definition  5.1  (Composition  of  substitutions) 

‘  -  *'  •  o  a  2  =  <72 

(<Ti,  M/x)  O  02  =  (cri  o  a2),M[a2]/x 

It  is  an  easy  consequence  from  the  substitution  lemmas  for  LF  [HHP93],  that  the  composition 
of  two  valid  substitutions  is  valid. 

Lemma  5.2  (Composition  of  substitutions) 

IfVi  ::  r2  b  ai  :  Ti 
and  I>2  "  r3  h  cr2  :  r2 
then  r3  h  <7i  o  er2  :  Ti 

Proof:  by  structural  induction  on  V\ .  □ 

This  concludes  the  section  on  preliminary  concepts  and  we  continue  with  the  presentation 
of  the  logic  Ad g  where  substitutions  are  needed  at  many  different  occasions. 


5.3  The  Logic 

We  begin  with  the  discussion  of  the  logic  Mlf ,  its  syntax,  and  its  semantics.  The  syntax 
of  formulas  is  more  complicated  than  in  other  logics,  because  formulas  also  describe  partial 
extensions  of  the  current  world.  At  the  end  of  this  section  we  define  a  formal  semantics  for  this 
logic. 

5.3.1  Syntax 

We  introduce  the  syntax  of  in  three  steps.  First  formally  define  what  context  schemas 
are.  Second  we  motivate  two  different  variable  concepts.  One  kind  of  variables  range  over 
assumptions,  i.e.  LF  types,  and  the  other  kind  of  variables  ranges  over  parameter  blocks.  Third, 
we  characterize  formulas. 

Context  schemas 

In  the  formulation  of  each  theorem,  we  explicitly  require  that  there  is  a  context  schema  given, 
which  describes  the  regular  extensions  of  the  world.  In  Section  4.2.3,  we  have  encountered  an 
example,  where  valid  extensions  to  the  world  can  only  be  described  by  more  than  one  block 
schema.  Context  schemas  are  defined  by  a  labeled  list  of  block  schemas,  and  each  block  schema 
has  two  components,  a  SOME-component,  and  a  BLOCK-component,  where  the  BLOCK- 
component  defines  the  form  of  a  parameter  block,  and  the  SOME-component  quantifies  over 
free  variable  occurrences  in  this  block.  Block  schemas  are  always  labeled.  Context  schemas  are 
an  integral  part  of  any  formula. 

Context  form:  C  ::=  ■  |  C,  x  :  A 

Block  schema:  B  ::=  SOME  C\.  BLOCK  C2 

Context  schemas:  S  ::=  -|  S,BL 

Context  forms  are  LF  contexts,  they  enjoy  all  substitution  and  o-conversion  properties  as 
regular  LF  contexts  do.  We  have  given  them  a  different  name  and  denote  them  with  a  different 
letter  C  in  order  to  emphasize  that  they  are  blueprints  for  context  blocks. 
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Variable  concepts 

In  traditional  intuitionistic  or  classical  logic,  when  we  write  \/x3y.P(x,  y),  we  typically  do  not 
specify  the  domain  of  the  two  variables  x  and  y.  If  this  formula  is  true,  then  independently  of 
what  x  is  bound  to,  it  is  certain  that  there  exists  y  which  makes  P(x,y)  true. 

For  our  purposes  on  the  other  hand,  we  think  of  x  and  y  as  LF-objects,  representing  derivation 
of  an  encoded  deductive  system.  Therefore,  x  and  y  range  over  objects  of  a  certain  type;  we 
have  demonstrated  this  already  in  Chapter  3,  when  we  developed  the  different  formalizations  of 
theorems  in  the  meta-logic.  Consider  for  example  the  formalization  of  the  reflcxivity  Lemma  4.3 
for  parallel  reduction.  The  colon  indicates  that  T,  E,  and  D  range  over  LF-objects. 

□  (SOME  T  :  tp.  BLOCK  x  :  term  T,«  :  x  =4  x)'\ 

VT  :  tp.  V£  :  term  T3D  :  E  =4  E.  T 

Note,  that  in  this  formalization  T  and  E  are  not  standard  LF  variables  declarations  as  described 
in  Section  2.4.  There  is  a  new  property  attached  to  these  variables  which  is  not  available  in  LF 
at  all:  In  order  to  reason  by  induction,  we  can  analyze  the  different  forms  of  T  and  E . 

Nevertheless,  since  we  always  keep  the  LF  level  and  the  level  entirely  separate,  we 
continue  to  write  x  :  A  for  the  assumption  that  x  is  of  type  A ,  and  we  keep  in  mind  that  we  can 
analyze  x  on  a  case  by  case  basis.  From  a  logical  point  of  view,  we  call  x  :  A  an  assumption. 

The  regular  world  assumption  introduces  a  new  level  of  complexity.  Recall  that  the  regular 
world  assumption  allows  dynamic  but  regular  extensions  of  the  LF  signature.  A  recursive  func¬ 
tion,  as  we  have  seen  in  the  previous  chapter  can  extend  the  current  world  by  new  constructors. 
Extensions  of  the  world  must  always  match  the  abstract  description  of  the  world  through  context 
schemas. 

In  addition  to  the  standard  variable  concept,  we  need  a  notion  of  variables  that  range  over 
parameter  blocks.  We  motivate  these  new  variables  using  the  reflexivity  Lemma  4.3.  After 
analyzing  the  cases  on  E ,  we  had  to  consider  the  one  case  that  E  in  fact  refers  to  a  parameter 
x  in  an  extension  of  the  current  world  <F.  x  is  a  variable,  it  simply  ranges  over  any  parameter. 
Recall  that  the  context  schema  states  that 

(SOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  =4  x)L 

which  means,  that  any  x  in  <£>  is  always  accompanied  by  u.  Thus,  u  ranges  over  the  second 
parameter  in  a  parameter  block.  Since  we  need  to  reason  abstractly  about  parameter  blocks,  we 
refer  to  x  and  u  collectively  as  variable  block .  In  full  generality,  variable  blocks  consist  of  many 
parameter  variables.  We  write  p  =  (x  :  term  T.u:x  ==>  x)  for  variable  blocks. 

Variable  blocks:  p  •  |  p,x  :  A 

Variable  blocks  are  typically  labeled  as  described  in  Section  4.2.3,  and  these  labels  are  written 
in  exponent  notation.  Consequently,  variable  blocks  p  ranging  over  parameter  blocks  labeled 
with  L  are  written  as  pL.  In  this  setting,  regular  world  extensions  <£>  can  be  defined  as  a  list  of 
labeled  variable  blocks.  As  example  consider  the  following  extension  of  the  world  that  is  clearly 
an  instance  of  the  context  schema: 

$  =  {x±  :  term  rrn,  u\_ :  x\  =4  £L)l,  . . . ,  (x^  :  term  rV\  Un  ■  Xn_  =>  £n)L 
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Variable  blocks  and  regular  world  extensions  enjoy  the  standard  properties,  such  as  sub¬ 
stitution,  weakening,  contraction,  and  limited  exchange  [HHP93].  a-convertibility  of  variable 
blocks  pi  =a  p2  is  decidable  and  follows  from  a  simple  generalization  of  convertibility  of  types. 
Formally,  variable  blocks  are  simply  lists  of  parameter  binding  variables  together  with  their 
types. 

Formulas 

Given  the  two  different  variable  concepts,  the  formula  level  must  provide  two  quantifiers,  binding 
each  of  the  variables.  In  we  use  the  standard  universal  quantifier  to  quantify  over  LF  objects 
as  used  in  the  formula  for  the  reflexivity  lemma. 

VE  :  term  T.  3D  :  E  =4  E.  T 

The  other  quantifier  ranges  over  variable  blocks  p.  We  motivate  this  new  quantifier  by  further 
examples.  Consider  again  the  standard  extension  of  the  current  world  as  often  assumed  in  the 
previous  chapter. 

#  =  (®i  :  term  rn~',u1 :  x±  =^>  £i)L,  . . . ,  (xn  :  term  rrn'1,^  :  Xn  Xn)L 

In  the  reflexivity  Lemma  4.3  for  parallel  reduction  we  must  analyze  cases  over  E  :  term  T.  That 
means  we  have  to  consider  a  variable  block  p  ranging  over  any  parameter  block  of  label  L.  In 
this  case,  we  must  show  that  forall  types  T,  and  for  variable  blocks  ranging  over  parameter 
blocks  in  <E>  there  exists  a  D  of  appropriate  type.  We  ues  quantification  over  variable  blocks  of 
label  L  using  the  II-quantifier  to  express  this  formula. 

VT  :  tp. II(^  :  term  T,u  :  x  x)L.3D:x  x.T 

A  formula  in  is  built  from  two  parts.  The  first  part  describes  the  form  of  possible 
extensions  of  the  world.  It  is  expressed  by  the  context  schema.  Informally,  the  reflexivity 
Lemma  3.4  states: 

Consider  the  situation  where  a  list  of  the  following  assumptions  is  present 
x\  . .  term  7~i  ^  Ui  ..  x\  Xi^ ^  Xy-i  ..  term  ,  Uji  : :  x ^  r* 

Then  for  any  well-typed  term  e,  there  exists  a  derivation  of  e  e. 

The  context  schema  formalizes  the  statement  about  the  list  of  assumptions  whereas  a  formula 
expresses  the  property  to  be  shown. 

Formulas  are  defined  in  terms  of  universal  and  existential  quantifiers  ranging  assumptions  and 
variable  blocks,  conjunction  to  represent  mutual  inductive  theorems,  and  truth.  For  this  work, 
we  are  particularly  interested  in  formulas  that  lie  in  the  n2-fragment,  since  it  is  this  fragment 
for  which  we  develop  automated  deduction  algorithms  that  are  described  in  Chapter  8.  The 
well-formedness  condition  for  formulas  is  discussed  in  Section  5.4.3. 

General  formulas:  G  DS.F 

Formulas:  F  ::=  Vx  :  A.F  \  Tip1.  F  \  3x  :  A.  F  \  F\  A  F2  \  T 
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It  is  possible  to  separate  the  two  parts  of  a  general  formula,  and  to  leave  the  definition  of  the 
context,  schema  implicit,  similarly  as  we  leave  the  definition  of  the  signature  implicit.  However 
for  clarity  we  carry  the  context  schema  as  part  of  the  formula  in  this  work. 

As  a  reminder,  here  are  some  examples  of  meta-theorems  expressible  in  this  logic.  The  first 
example  is  the  diamond  lemma  for  parallel  reduction. 

Example  5.3  (Diamond  lemma)  (see  Lemma  4.6) 

□  (SOME  T  :  tp.  BLOCK  .t  :  term  T,  u  :  x  =4  x.  )L 

VT  :  tp.  V£  :  term  T.  ME1  :  term  T.  MEr  :  term  T. 

\/Dl  :  E  =4  E'.MD1'  :E  =U  Er . 

BE'  :  term  T.  3 R1  :  El  =4  E' .  3 Rr  :  ET  =U  E' .  T 

The  second  example  is  the  reflexivity  lemma  for  the  polymorphic  A-calculus.  Note,  that  here 
the  context  schema  contains  two  block  schemas. 

Example  5.4  (Reflexivity  lemma  for  the  polymorphic  A-calculus)  (see  Lemma  4.10) 

□  (SOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  =U  x)L'  |  (BLOCK  a  :  tp)*3. 

VT  :  tp.  VE  :  term  T.BD  :  E  =U  E.  T 

The  logic  is  very  simple,  and  simultaneously  very  strong  because  it  inherits  the  expressiveness 
from  the  underlying  logical  framework  LF.  In  particular,  there  are  no  other  constants  defined 
besides  truth.  There  is  no  equality.  There  is  no  falsehood.  There  is  no  disjunction.  On  the  one 
hand  this  sounds  like  a  severe  restriction,  on  the  other  it  may  not  be.  For  specific  instances, 
it  is  possible  to  define  disjunction  in  LF  and  to  make  it  accessible  to  M 2-  A  more  concise 
investigation  of  other  useful  connectives  for  M2  is  left  to  future  work. 

5.3.2  Semantics 

In  this  subsection  we  extrapolate  a  suitable  semantics  for  M2  horn  the  examples  presented  in 
Chapter  3.  The  semantic  is  straightforward  and  intuitive.  Before  we  present  the  meaning  of 
a  general  formula  G  in  M2  in  detail,  we  first  define  an  interpretation  of  the  new  D-operator, 
which  prompts  the  definition  of  an  interpretation  of  context  schemas. 

A  closer  look  on  context  forms  C  reveals  that  C'\ s  are  defined  structurally  in  a  way  very 
similar  to  LF  contexts,  namely  as  a  list  of  declarations.  In  order  to  judge  if  a  given  context 
satisfies  a  context  schema,  we  must  check  that  every  block  is  an  instantiation  of  a  block  schema 
—  block  by  block. 

Consider  for  example  a  regular  extension  of  the  world,  that  we  denoted  by  =  4>',/9/y 
where  p  is  the  most  recent  block  introduced  in  the  world.  This  block  is  labeled  with  L.  Ob¬ 
viously,  for  4>  to  be  be  valid.  <f>f  must  be  valid  and  p  must  be  an  instance  of  the  block  schema 
SOME  C\.  BLOCK  C2.  In  other  words,  there  must  be  an  instantiation  for  the  variables  in  C\ 
from  <&',  and  p  must  match  C 2  where  C!2  is  the  result  of  instantiating  all  variables  from  C\  in  C2. 
In  the  first  case  we  speak  of  a  SOME-instantiation,  and  in  the  second  of  a  BLOCK-construction 
which  includes  an  explicit  a-convcrsion  step  to  ensure  that  the  naming  of  parameters  is  unique. 

BLOCK-construction  creates  the  new  parameter  context  by  traversing  C  from  left  to  right 
instead  of  right  to  left  as  suggested  by  the  syntactical  definition  of  C.  We  write  [a] C  for  the 
instantiation  of  context  form  C  followed  by  an  a-convcrsion  step,  a  is  a  substitution. 
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The  interpretation  of  a  block  schema  is  defined  in  terms  of  SOME-instantiations  and 
BLOCK-constructions.  It  is  a  set  of  all  parameter  blocks,  which  are  the  result  of  BLOCK- 
construction,  after  some  appropriate  SOME-instantiation. 

Definition  5.5  (Interpretation  of  a  block  schema) 

For  all  a ,  s.t  $  b  a  :  Cu  it  holds  that  4>  b  [a]C2  £  [SOME  Cv  BLOCK  C2j 

We  say  that  lies  in  the  interpretation  of  S',  if  any  parameter  block  of  $  is  in  the  interpreta¬ 
tion  of  some  block  schema  defined  by  S.  Obviously,  the  empty  parameter  context  is  an  element 
of  the  interpretation  of  any  context  schema. 

Definition  5.6  (Interpretation  of  context  schemas) 

[S]  :=  {’}  U  {$,pL  |  $  E  [S]  and  there  exists  a  BL  E  S,  s.t  $  b  p  E  [B}} 

On  the  basis  of  the  interpretation  of  context  schemas  we  can  now  define  the  semantics 
of  formulas.  A  general  formula  is  semantically  valid,  if  its  body  is  valid  in  any  parameter 
context  compatible  with  the  context  schema.  Universally  quantified  formulas  are  valid,  if  for  all 
instantiations  of  the  assumption  variable,  the  body  of  the  formula  is  valid.  Similarly  for  variable 
block  quantification:  A  II-formula  is  semantically  valid  if  and  only  if  its  body  is  semantically 
valid  after  instantiating  the  variable  block  with  a  parameter  block  from  the  context  (carrying 
the  same  label).  An  existentially  quantified  variable  is  semantically  valid  if  there  exists  a  term 
M  which  makes  the  body  of  the  formula  valid.  The  conjunctions  of  two  formulas  is  valid  if  each 
of  the  conjuncts  is,  and  last  but  not  least,  T  is  always  semantically  valid. 

Definition  5.7  (Meaning  of  formulas) 


1=  ns.F 

iff 

$ 

h 

F 

for 

all  $  e  [S] 

$  \=\fx  :  A.F 

iff 

$ 

h 

F[M/x] 

for 

all  M,  s.t.  $  b  M-.A 

<$>\=TlpL.F 

iff 

$ 

1= 

F[P'/P] 

for 

all  p'L  E  s.t.  $  h  p1  =a  p 

§  \=  3x  :  A.  F 

iff 

$ 

1= 

F[M/x } 

for 

some  M,  s.t.  #  b  M  :  A 

$  |=  El  A  F2 

iff 

<E> 

h 

F\  and  $  |=  F2 

$  |=  T 

The  goal  of  this  thesis  is  to  develop  an  automated  meta-theorem  prover  which  can  prove 
meta-theorems  about  deductive  systems.  Unfortunately,  the  semantics  of  the  meta-logic  does 
not  provide  enough  structure  for  a  construction  of  a  theorem-prover  for  Thus  we  develop 

a  formal  proof  theory  for  in  the  remainder  of  this  chapter.  The  proof  system  is  based  on  an 
extension  of  intuitionistic  logic  [Gal93],  as  the  definition  of  the  semantics  of  already  suggests. 
Given  any  instantiation  of  the  universal  quantifiers  the  proof  determines  witness  objects  for  the 
existential  quantifiers.  That  the  derivability  in  this  proof  theory  implies  semantic  validity  is 
shown  in  Chapter  7.  The  attentive  reader  might  recall  that  meta-proofs  are  formalized  by 
recursive  functions  for  which  we  have  already  given  many  examples  in  Chapter  4. 

The  development  of  the  formal  proof  system  is  rather  complex  and  quite  challenging.  In  order 
to  facilitate  the  presentation,  we  begin  with  the  presentation  of  a  set  of  inference  rules,  which 
extends  the  standard  formalization  of  the  sequent  calculus  for  intuitionistic  logic  by  variable 
blocks  and  the  appropriate  quantifier  in  Section  5.4.  We  then  endow  the  calculus  with  proof 
terms  in  Section  5.5,  add  two  operators  to  permit  definition  by  cases  and  recursion  in  Section  5.6. 
Finally  we  add  another  operator  to  express  lemma  application  in  Section  5.7. 


107 


108 


5.4.  THE  PROOF  SYSTEM 


5.4  The  Proof  System 

The  proof  system  for  .M  j  not  only  contains  a  set  of  inference  rules  in  order  to  define  provability, 
but  it  also  contains  a  set  of  rules  which  characterize  well-formed  context  schemes  and  well- formed 
formulas.  All  three  inference  rule  systems  rely  on  a  proper  treatment  of  assumptions.  Recall  that 
there  are  assumption  variables,  which  correspond  to  LF  objects,  and  there  are  variable  blocks 
which  range  over  entire  parameter  blocks.  In  this  section  we  first  discuss  these  assumption 
contexts  in  detail,  in  Section  5.4.1  we  present  then  the  inference  system  for  context  schemas 
in  Section  5.4.2,  the  inference  system  for  well-formed  formulas  in  Section  5.4.3,  and  finally  the 
inference  system  which  defines  provability  in  the  sequent  calculus  in  Section  5.4.4. 

5.4.1  Generalized  Contexts 

Generalized  contexts  for  M^  are  inherently  different  from  the  standard  LF-contexts  F  from 
Section  2.4,  and  they  extend  the  notion  of  context  used  in  previous  version  M2  [SP98] .  There, 
contexts  were  defined  as  a  list  of  assumptions  (or  Eigen  variables).  It  was  guaranteed  that 
under  the  closed  world  assumption,  all  variables  declared  in  such  a  context  stood  for  closed  LF 
expressions.  Generalized  context  as  defined  in  this  section  are  much  more  general  because  of  the 
regular  world  assumption.  Recall  that  we  reason  about  derivations  that  are  “open”  in  regular 
extensions  of  the  world,  and  therefore,  assumptions  declared  in  a  generalized  context  may  be 
open.  Generalized  contexts  also  describe  the  partial  knowledge  about  the  world  at  any  point  in 
a  proof. 

One  question  comes  immediately  to  mind:  Why  represent  all  information  in  one  generalized 
context?  Wouldn’t  it  be  better  to  represent  it  in  two  different  ones?  One  context  represents 
assumptions,  the  other  the  current  extension  of  the  world?  The  answer  is  subtle:  All  information 
about  assumptions  and  the  world  cannot  be  separated  because  of  dependencies.  Assumptions 
might  occur  in  the  types  of  the  parameters,  as  we  can  see  in  the  example  above  where  x  :  term  T. 
And  vice  versa,  parameters  can  occur  in  the  types  of  assumptions.  E  :  x  =>  x  is  such  an 
example.  Another  example  can  be  found  in  the  proof  of  the  diamond  Lemma  4.6:  after  the  first 
case  analysis  the  left  reduction  is  represented  by  Er  :  x  er  uncovering  a  dependency. 

Since  variable  blocks  describe  properties  about  the  parameter  contexts  and  assumptions  live 
on  an  entirely  different  level,  they  are  conceptually  different,  one  could  argue  not  to  worry 
about  dependencies  at  all.  This  argument  is  wrong,  and  we  make  one  more  observation  that 
should  clarify  this  question;  our  notion  of  generalized  context  cannot  represent  invalid  parameter 
contexts. 


Example  5.8  (Invalid  parameter  context)  Consider  the  simply- typed  A-calculus  from 
above  and  the  following  context  schema: 

(SOME  T  :  tp,  E  :  term  T.  BLOCK  x  :  term  T,  u  :  E  x)L 

The  list 

(x  :  term  rTn,u  :  y  .r)L,  (y  :  term  rr~],v  :  x  =>  y)L 

is  not  a  parameter  context,  because  the  two  blocks  cannot  be  ordered  in  any  way  to  respect 
dependencies. 
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By  definition  a  context  schema  represents  all  valid  parameter  contexts,  whose  parameter  blocks 
match  the  BLOCK  declaration.  Disregarding  all  dependencies  would  mean  to  permit  invalid 
contexts,  and  reasoning  about  invalid  contexts  can  lead  to  inconsistent  results.  Therefore  we  re¬ 
quire  that  all  dependencies  of  assumption  and  variable  blocks  declared  in  an  generalized  context 
are  honored,  and  so  invalid  parameter  contexts  are  excluded  from  our  considerations.  Com¬ 
mitting  to  an  order  of  variable  blocks  and  assumption  variables  does  not  mean  that  we  have 
committed  to  a  particular  order  of  declarations  in  the  parameter  context:  none  of  the  rules 
we  introduce  below  will  ever  take  advantage  of  this  information.  Consequently,  representing 
assumption  and  variable  blocks  together  in  one  generalized  context  only  means  that  there  exists 
at  least  one  valid  parameter  context  described  by  the  generalized  context.  We  start  now  with 
the  formal  presentation  of  generalized  contexts. 

Generalized  Context:  'F  ::=  •  |  T,  x  :  A  |  'F,  pL 

Since  T  —  when  flattened  out  —  is  always  a  valid  LF-context,  we  can  use  it  also  as  context 
in  LF  judgments.  In  the  rules  below,  we  use  the  notation  that  'F  h  M  :  A,  which  means,  that 
after  removing  all  labels  from  'F,  the  object  M  has  type  A  in  this  newly  obtained  context. 
Moreover,  our  definition  of  regular  worlds  <F  is  already  contained  in  ^  if  ^  contains  nothing  else 
but  variable  block  declarations. 

Generalized  contexts  are  valid  if  assumptions  and  block  variables  are  well-typed  in  the  stan¬ 
dard  sense.  A  variable  block  pL  in  the  generalized  context  >F,pL  is  valid,  if  it  is  an  instance  of 
a  block  schema  SOME  C\.  BLOCK  C2  as  defined  in  Section  5.3.2. 

Judgment 


Validity  of  generalized  contexts:  b  T  abstract 

Note  that  we  omit  two  important  indices  from  the  judgment:  b  W  abstract  is  actually  indexed 
by  the  signature  E  and  the  context  schema  S.  In  pedantic  detail,  one  would  write 

I -£;s  #  abstract 

for  the  validity  judgment.  But  in  order  not  to  clutter  the  presentation  and  more  than  necessary, 
we  omit  these  two  indices.  Because  of  the  semantic  validity  of  formulas  and  general  formulas,  it 
should  be  quite  clear,  that  E,  and  S  must  be  assumed  constant  throughout  a  proof.  A  similar 
remark  holds  for  all  other  judgments  which  we  introduce  below  in  this  section.  Occasionally,  we 
will  remind  the  reader. 

There  are  three  rules  which  define  the  generalized  contexts.  First,  the  empty  context  is  a 
generalized  context,  second  generalized  contexts  can  be  extended  by  valid  variable  blocks  or 
valid  assumptions.  Note  that  in  this  rule  we  use  the  LF  typing  judgment  where  we  implicitly 
flatten  out  'F. 


Rules 


- vempty 

b  *  abstract 


h  $  abstract  (SOME  C\.  BLOCK  C2)L  e  S  ^  h  a  :  G\ 

- - - vblock 

^ ,  ([a]C2)  abstract 
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b  VT'  abstract.  ll'  b  A  :  type 

- : —  vass 

b  ^,.r  :  A  abstract 


5.4.2  Context  Schemas 

Context  schemas  are  abstract  descriptions  of  parameter  contexts.  A  well-formed  context  schema 
consists  of  several  labeled  block  schemas,  each  block  schema  is  closed  by  itself,  i.e.  it  can¬ 
not  rely  on  any  other  assumptions  but  the  ones  introduced  by  the  block.  That  means,  if 
SOME  C\.  BLOCK  C2  is  a  block  schema,  C 1 , C2  must,  form  a  context.. 

I11  this  subsection  we  specify  a  set  of  inference  rules  for  well-formed  context,  schemas.  By 
inspection  of  the  definition  of  context,  schemas,  it  becomes  immediately  evident  that  this  well- 
formed  judgment,  is  defined  in  terms  of  two  auxiliary  judgment,:  one  judgment  for  well-formed 
block  schemas  and  one  for  well-formedness  of  context  forms. 

Judgments 

Well-formed,  context  schemas:  b  S  Schema 
Well-formed  block  schemas:  b  B  Block 

Well-formed,  context,  forms:  C\  b  C2  Ctx 

The  rules  defining  these  three  judgments  are  entirely  straightforward.  The  only  thing  to 
pay  attention  to  is  that,  for  context,  blocks,  we  first  have  to  check  that,  the  SOM  E-component 
is  well-formed,  and  then  that  the  BLOCK-Component,  is  also  well-formed.  We  tacitly  assume 
that  all  labels  are  distinct. 


Rules 


b  S  Schema  b  B  Block 
b  •  Schema  b  S’,  BL  Schema 


•  b  Ci  Ctx  Ci  b  C2  Ctx 
b  SOME  C,.  BLOCK  C2  Block 

Ci  b  C2  Ctx  C, .  C2  b  A  type 
C]  b  •  Ctx  Ci  b  C2,.r  :  A  Ctx 

Example  5.9  (Well- formed  context  schema)  The  context,  schema  from  Lemma  4.10  is 
well-formed: 

b  (SOME  T  :  tp.  BLOCK  x  :  term  T,  a  :  x  =U-  x)L\  (BLOCK  a, :  tp)^2  Schema 

5.4.3  Formulas 

In  M2,  there  are  two  notions  of  formulas.  First  there  are  “formulas”  that  express  properties, 
and  second  there  are  “general  formulas”.  General  formulas  bind  one  context,  schema,  which 
states  the  form  of  the  extensions  of  the  regular  world.  In  order  to  judge  if  a  general  formula  is 
well-formed,  the  inference  rules  have  to  ensure  that  the  context,  schema  is  well-formed,  and  that, 
every  quantifier  is  well-typed. 
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Judgments: 


Well-formed  general  formulas:  h  G  general 
Well-formed  formulas:  \I>  h  F  formula 

The  judgment  for  generalized  formulas  is  indexed  by  an  LF  signature,  whereas  the  judgment 
for  regular  formulas  is  also  indexed  by  a  context  schema.  In  addition,  assumptions  and  variable 
blocks  bound  by  universal  quantifiers  may  occur  anywhere  in  the  body  of  the  formula.  Hence, 
the  judgment  for  well-formed  formulas  is  defined  with  respect  to  an  generalized  context. 

Rules 

I~e  S  Schema  •  h£;s  F  formula 

- Vctx 

hg  OS.  F  general 

x  :  A  hS;S  F  formula  pL  F  formula  x  :  A  F  formula 

- VV  - : - vn  - - - V3 

4'  l“E;S  Vx  :  A.  F  formula  T  hs;5  lip  .  F  formula  4>  hS;S  3 x  :  A.  F  formula 

3'  l-£;S  Fi  formula  T  Fe;s  Ft  formula  l-£;s  4/  abstract 

-— - - - VA  - Vtrue 

w  Fe;s  Fi  A  i*2  formula  T  Ke;5  T  formula 

In  the  remainder  of  this  thesis,  we  drop  the  subscript  E  and  E;  S  from  these  judgments  and 
rules. 

Example  5.10  (Well- formed  formula)  The  formulation  of  the  diamond  lemma  Lemma  4.6 
is  well-formed. 

h  DSOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  ==>  x. 

VT  :  tp.  V£  :  term  T.  VEl  :  term  T.  VET  :  term  T. 

MDl  :  E  =4  El.VDr:E  =U  Er . 

3 E' :  term  T.  3 Rl  :  El  E' .  3 Rr  :  Er  =U  E'.  T  general 

This  concludes  our  presentation  of  well-formed  formulas.  We  continue  with  the  presentation  of 
the  proof  system  for 

5.4.4  M-2 -Calculus 

The  design  of  the  proof  calculus  for  is  inspired  by  a  sequent  calculus  for  first-order  intu- 
itionistic  logic,  but  it  is  at  the  same  time  significantly  different.  It  is  similar  in  a  sense,  that  there 
are  left  rules  and  right  rules,  and  it  is  different  in  the  sense  that  there  is  no  cut-rule.  In  addition 
to  the  standard  rules  for  formulas,  there  are  also  rules  for  general  formulas.  A  particular  drastic 
change  to  the  original  set  of  left  rules  is  posed  by  the  introduction  of  new  parameters.  Intu¬ 
itively,  introducing  new  parameter  blocks  corresponds  in  informal  reasoning  to  a  hypothetical 
argument.  If  assumptions  are  introduced  in  a  proof,  all  reasoning  steps  are  hypothetical  until 
the  newly  assumed  hypothesis  are  discharged.  This  observation  will  have  a  drastic  impact  on 
the  form  of  the  left  rules.  We  will  present  the  inference  system  in  small  steps,  in  this  section, 
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for  example,  we  only  present  the  basic  notion  of  provability  which  we  endow  with  proof  terms 
in  Section  5.5,  recursion  in  Section  5.6,  and  lemmas  in  Section  5.7.  The  reader  is  asked  to  read 
this  section  very  carefully  and  very  attentively  in  order  to  capture  the  essential  differences  of 
M2  and  the  standard  sequent  calculus  formulation. 

Provability  in  M J  is  expressed  by  two  judgments  h  G  and  T;  A  h  F.  The  first  judgment 
is  indexed  by  S,  the  second  by  E;  S.  ^  is  the  generalized  context,  describing  all  LF  level 
assumptions  and  variable  blocks  in  any  given  state  in  the  proof.  A  stands  for  a  list  of  formulas, 
representing  all  meta-assumptions  during  a  proof.  Informally,  the  A  is  the  left  hand  side  of  the 
sequent,  symbol  K  Formally,  it  is  defined  as 


Meta-assumptions:  A  *|A,F 

and  meta-assumptions  are  well-formed,  if  they  satisfy  the  following  judgment 

Judgment 


Well-formed  meta- assumptions:  A  nicta 

which  is  defined  by  the  following  two  rules. 

Rules 

h  abstract  4/  h  A  meta  $  h  F  formula 

- vabstract  - vmeta 

4/  h  •  meta  4/  b  A,  F  meta 

Typical  examples  of  formulas,  which  are  represented  by  A.  are  for  example  the  induction 
hypothesis,  and  subformulas  of  the  induction  hypothesis  resulting  of  partial  applications.  In 
Section  5.5  we  will  revisit  the  list  of  meta-assumptions  and  assign  names  to  them  which  are 
simply  meta-variable  names  for  the  proof  term  calculus.  But  for  the  presentation  of  pure  proof 
rules,  it  is  enough  to  assume  A  to  be  a  list  of  formulas. 

Judgments 


Provability  of  general  formulas:  G 

Provability  of  formulas:  4';  A  I F 

The  two  provability  judgments  are  not  general  enough  to  present  the  entire  system  of  infer¬ 
ence  rules.  As  a  matter  of  fact,  they  are  only  general  enough  to  presen  approximately  half  of 
the  system,  namely  the  right  rules.  The  special  case  of  the  left  rules  is  discussed  below.  For  the 
sake  of  clarity,  we  omit  index  of  the  F  symbol  in  the  judgments  for  the  definition  of  the  rules 
below.  It  can  be  easily  derived  from  the  context. 

•;*FF 

- generaIR 

h  □  S.F 

This  is  only  right  rule  for  general  formulas.  The  other  right  rules  for  the  provability  of  formulas 
are  almost  straightforward.  T,  interpreted  as  LF-context  in  the  R3  rule,  provides  all  assumptions 
about  LF  objects  known  at  the  point  of  time  when  the  rule  is  applied  in  a  proof,  and  M  is  the 
witness  object  for  the  existential.  Note  that  A  does  not  change  in  any  of  these  rules. 
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'  Fe  A 

- axvar 

f;Ah  F 

^,x:A-AhF  '&,pL;A  f-  F  V  \- M  :  A  $;Ah  F[M/x] 

— - - : - RV  - 7—  Rn  - - - LSI  Rg 

T;A  h  Mx  :  A.F  T;AbII  pL.F  $;Ah3  x-.A.F 

A  h  Fi  T;  A  I -  F2 

- RA  - RT 

$;AhFiAF2  $;AhT 

The  rule  RV  provides  information  about  the  existence  of  LF  objects,  and  this  information  is 
stored  in  the  generalized  context.  Similarly  does  the  rule  Rn  provide  information  about  the 
form  of  the  parameter  context. 

Now  to  the  left  rules.  Differently  from  the  right  rules,  where  the  defining  formula  occurs 
in  the  conclusion  to  the  right  of  the  h  symbol,  the  defining  formula  for  the  left  rules  occurs  to 
the  left,  in  the  assumption  list.  And  typically,  there  are  as  many  rules  as  there  are  connectives. 
Applying  a  left  rule  in  a  backwards  directed  fashion  means  to  extend  A  by  new  assumptions, 
resulting  from  manipulating  this  one  formula.  For  example,  if  Vx  :  A.F  is  this  formula  in  A,  we 
can  use  it  and  for  well-typed  object  M  of  type  A,  we  can  assert  the  new  assumption  F[M/x ]. 
In  a  first  attempt,  let  us  define  the  left  rule  for  V  to  be: 

4/  t-  M  :  A  Ai,Vs  :  A.  F,  F[M/x],  A2  h  jF 

- LV 

^;Ai,Vx:  A.F,A2bF 

How  would  we  use  this  rule  in  a  proof?  Consider  for  example  the  proof  of  the  reflexivity 
Lemma  4.3,  and  in  this  proof  the  case  for  app.  Furthermore,  assume  that  the  induction  hypoth¬ 
esis  is  already  contained  in  A: 

VT  :  tp.  ME  :  term  T.  3D  :  E  =4  E.  T  €  A 

Applying  the  induction  hypothesis  means  to  apply  the  rule  LV  bottom  to  top.  In  the  example, 
assume  that  Ei  has  type  Ti,  and  E 2  has  type  T2,  and  that  all  this  information  is  represented 
by  the  generalized  context  4/: 

—  T\  :  tp,  T2  :  tp,  E\  :  term  Ti,  E2  :  term  T2 

In  the  proof,  we  applied  the  induction  hypothesis  twice,  once  to  T\  and  E\,  and  once  to  T2  and 
JF2.  The  LV  rule  provides  exactly  this  functionality.  After  the  first  application,  observe  how  the 
assumption  list  A  grows. 

AM  =  VT  :  tp.  V£  :  term  T.3D  :  E  =U  E.  T, 

V£  :  term  T\ .  3D  :  E  =U  E.  T 

Then,  after  applying  it  a  second  time  to  the  newly  introduced  assumption,  we  obtain: 

A(2)  =  VT  :  tp.  ME  :  term  T.3D  :  E  =U  E.  T, 

ME  :  term  T\ .  3D  :  E  =U  E.T, 

3D:  Ei  =U  Ei.T 
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Another  application  of  the  induction  hypothesis,  this  time  on  T2  and  E2  yields  A^. 

AW  =  VT  :  tp.  VE  :  term  T.3D  :  E  =4  E.  T, 

VE  :  term  T\ .  3D  :  E  =4  E.T, 

3D  :  Ei  =4  Ei.  T 

VE  :  term  T2.  3D  :  E  =4  E.  T, 

3E:E2  =4  E2.T 

Note,  that  in  order  to  continue  the  proof,  we  have  to  extract  the  existentially  quantified  witness 
objects  from  the  third  and  the  fifth  entry  in  A^  back  into  the  generalized  context.  In  natural 
deduction,  this  is  done  by  the  existential  elimination  rule,  that  corresponds  in  the  sequent 
calculus  to  the  existential  left  rule: 

1F, x  :  A:  A] ,  3x  :  A.F\.F\.  A?  h  F 

— - : - : - — - L3 

9;Ai,3x:A.F1,A2\-F 

4/  has  not  changed  while  applying  the  LV  rule,  but  it  does  when  applying  the  L3  rule  which  we 
must  do  twice:  The  first  application  extends  the  generalized  context  by  the  (true)  assumption 

that  E\  =4  E\ 

^(5)  =  T\  :  tp,  T2  :  tp.  Ei  :  term  T\ ,  E2  :  term  T2,  P\  :  E\  ==>  E\ 
and  the  second  by  the  (true)  assumption  that  E2  ==>  Ei' 

3/(6)  =  T\  :  tp,  T2  :  tp,  E]  :  term  T\ ,  Ei  :  term  T2.  P1  •  Pi  ==>  Pi ,  Pi  •  P2  =>  P2 

All  in  all,  the  proof  of  the  case  can  be  finished  by  applying  R3  with  M  =  papp  Pj  Pi  followed 
by  an  application  of  RT. 

Unfortunately,  the  two  rules  just  presented  do  not  apply  to  the  hypothetical  reasoning  case. 
Consider  for  example  the  plain  case  in  the  proof  the  reflexivity  Lemma  4.3  for  parallel  reduction: 
Before  we  apply  the  induction  hypothesis,  we  have  to  assume  the  existence  of  a  parameter  block 
of  the  form  x  :  term  T,  u  :  x  x.  When  are  these  assumptions  discharged?  Obviously, 

they  can  only  be  discharged  after  the  induction  hypothesis  is  applied  to  all  arguments,  and 
all  witness  objects  are  moved  into  the  generalized  context.  From  a  formal  point  of  view,  this 
operation  corresponds  to  several  applications  of  the  LV-rule,  followed  by  several  applications  by 
the  L3-rules. 

Now  it  becomes  difficult.  We  claim  that  we  have  to  be  very  careful  when  to  introduce  and 
to  discharge  variable  blocks!  Just  imagine  two  simultaneously  applications  to  the  induction 
hypothesis,  where  the  first  is  hypothetical  (that  means  it  must  extend  the  world  by  a  new 
variable  block),  and  the  other  isn’t.  Which  formulas  are  valid  in  which  world?  The  problem 
reduces  to  the  question  of  proper  scoping  of  world  extensions.  In  a  standard  sequent  calculus, 
the  context  of  assumptions  has  intuitionistic  properties,  that  means  that  once  an  assumption  is 
introduced  it  is  present  in  the  context  of  all  judgments  in  the  premiss.  The  situation  of  world 
extensions  on  the  other  hand  is  different.  A  world  is  typically  extended  before  an  induction 
hypothesis  is  applied,  and  discharged  afterwards.  Thus,  extensions  to  the  world  do  not  possess 
the  standard  intuitionistic  properties. 
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Seemingly,  we  need  to  extend  the  world  only  for  the  purpose  of  induction  hypothesis  and 
lemma  application.  Our  solution  is  to  introduce  a  new  judgment,  that  explicitly  tracks  world 
extensions.  This  judgment  is  defined  exclusively  in  terms  of  the  left  rules  since  they  are  the 
ones  needed  for  applying  an  induction  hypothesis,  precisely  LV  and  L3.  While  applying  the  left 
rules  we  do  not  record  changes  in  T  immediately.  Instead  we  collect  all  information,  and  add 
it  to  the  intuitionistic  context  only  after  the  last  left  rule  is  applied.  This  judgment  entitles 
us  to  reason  hypothetically.  A  special  derivation  rule  which  interfaces  the  standard  derivability 
judgment  with  the  new  judgment  extends  $  accordingly.  Back  to  the  example  of  the  proof  of 
the  reflexivity  Lemma  4.3  for  parallel  reduction.  This  time,  we  consider  the  “lam” -case.  Recall 
that  we  have  to  show  that  E  =  lam  (Ax  :  term  T.  E'  x)  reduces  to  itself.  Formally,  we  have  to 

construct  an  LF  object  of  type  (lam  (Ax  :  term  T.E'  x))  =^-  (lam  (Ax  :  term  T.  E'  x)).  This 
situation  is  summarized  with  the  following  generalized  context: 

4/  =  T  :  tp,  T' :  tp,  E' :  term  T  -¥  term  T' 

We  begin  now  with  a  formal  appeal  to  the  induction  hypothesis.  First,  we  assume  the  existence 
of  a  new  parameter  block  x  :  term  T,u:x  =>  x.  Then  we  apply  LV  to  T' . 

A*1)  =  VT  :  tp.  VE  :  term  T.  3D  :  E  =U  E.  T, 

VE  :  term  T' .  3D  :  E  =U  E.T 

We  then  use  the  LV  once  again,  this  time  on  (Ef  x )  which  has  type  term  T'.  Note  that  from 
an  algorithmic  point  of  view  the  type  of  E!  already  prompts  for  an  extension  of  the  world. 
Otherwise  no  induction  hypothesis  is  applicable  at  all. 

A<2>  =  VT  :  tp.  VE  :  term  T.3D  :  E  =U-  E.  T, 

VE  :  term  T.3D  :E  =U  E.T, 

3D  :  (E'x)  =U  (E'x).T 

And  finally  we  apply  L3,  and  obtain  a  new  assumption:  P  :  (E*  x)  ( Ef  x).  Clearly,  in 
order  to  add  P  to  the  generalized  context,  we  have  to  abstract  according  to  Equation  (4.1)  on 
page  76,  and  we  obtain 

4>(3)  —  T  :  tp,  T!  :  tp,  Ef  :  term  T  — >  term  T', 

P  :  fix  :  term  T.Uu  :  x  x .  (Ef  x)  (Ef  x). 

Similarly,  we  abstract  the  new  meta- assumptions  in  and  obtain 

AW  =  VT  :  tp.  V£  :  term  T.  3D  :  E  =^>  E.  T, 

II(x  :  term  T,u  :  x  ==4-  x)L.  ME  :  term  T.  3D  :  E  =^>  E.T, 

II(x  :  term  T,  u  :  x  x)L.  3D  :  (E'  x)  (E1  x).T 

How  do  we  represent  the  extension  of  the  world  in  the  new  to  be  defined  judgment?  The 
answer  is  that  we  simply  extend  the  general  context  T  by  the  declaration  of  a  new  variable  block. 
But  in  general  this  information  is  not  enough  to  abstract  the  hypothetical  assumptions  after 
finishing  applying  the  left  rules,  because  there  are  possibly  many  variable  blocks  declared  in  T, 
and  many  of  them  of  them  must  not  be  discharged.  Which  variable  blocks  must  be  discharged 
and  abstracted  after  a  successful  application  of  the  left  rules  is  represented  by  the  derivation  in 
AfJ :  abstraction  takes  place  while  unraveling  the  trace  of  left  rules.  The  left  rules  are  defined 
via  a  new  judgment  which  we  call  provability  of  declarations. 
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Judgment 


Provability  of  declarations:  $;Ah  T';  A' 

The  generalized  context  4>,  and  the  list  of  meta- assumptions  A  on  the  left  carry  the  same 
meaning  as  in  the  judgments  for  provability  and  general  provability  above.  4'  is  used  to  capture 
extensions  of  the  current  world.  4^  and  A'  declared  left  of  the  h  symbol  represent  a  list  new 
assumptions  and  new  meta-assumptions  which  are  synthesized  during  the  application  of  the  left 
rules,  and  which  will  be  added  eventually  to  the  generalized  context.  Operationally  interpreted, 
4/'  and  A'  are  constructed  after  all  left  rules  are  applied.  The  judgment  can  be  read  as  a  function: 
4';  A  are  input  variables,  and  4'';  A'  are  output  variables.  Initially,  in  the  example,  before  the 
induction  hypothesis  is  applied,  4>  and  A  have  the  following  form: 

=  T  :  tp,  T'  :  tp,  E'  :  term  T  ->  term  V 
A*1*  =  VT  :  tp.  ME  :  term  T.  3D  :  E  =4  E.T 

We  start  now  with  the  application  of  the  induction  hypothesis.  First,  a  parameter  block  is 
introduced,  and  its  existence  is  made  visible  by  a  variable  block  in  the  generalized  context: 

4/(2)  =  T  :  tp, T*  :  tp,  Ef  :  term  T  — >  term  T',  (x  :  term  T,u:  x  x)L 

A(2)  =  VT  .  tp  yE  .  term  T.3D-.E  =4  E.T 

Next,  the  induction  hypothesis  is  applied  to  T  :  tp  using  a  new  version  of  the  LV-rulc,  which  we 
introduce  formally  below. 

\j/(3)  =  T  :  tp, Tf  :  tp, Ef  :  term  T  — >  term  T',  (x  :  term  T,u:x  =>  x)L 

=  VT  :  tp. VE  :  term  T.3D  :  E  =4  E.T, 

ME  :  term  T.3D  :  E  =U  E.T , 

Another  application  of  the  rule  LV.  this  time  to  E'  x  (well-typed  in  vpl  5))  yields 

v[<(4)  =  T  :  tp,  T'  :  tp,  E'  :  term  T  -¥  term  T',(x:  term  T,u:x  =4  x)L 

A(4)  =  VT  :  tp.  ME  :  term  T.3D  :  E  =4  E.  T, 

ME  :  term  T.3D  :  E  =4  E.  T, 

3D:(E'x)  =4  (E'  x).  T 

which  allows  us  to  assume  the  existence  of  a  P  :  (E1  x)  =4  (E'  x)  well-typed  in  'T'1-  by  rule 
L3  (also  defined  below),  and  the  body  of  the  last  formula  in  A^1  ’  becomes  a  meta-assumption. 

<jd5)  =  T  :  tp, T' :  tp,  E'  :  term  T  — >■  term  T' ,  (x  :  term  T,u:x  =4  x)L 
P  :  (E1  x)  =4  (E1  x) 

A^  =  VT  :  tp.  ME  :  term  T.3D  :  E  =4  E.  T, 

ME  :  term  T.3D  :  E  =4  E.  T, 

3D:  (E'x)  =4  (E'x).T, 

T 
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The  induction  hypothesis  is  now  completely  applied,  and  we  can  begin  to  unravel  the  trace  of 
left  rule  applications.  Unraveling  in  this  sense  mean  to  step  back  through  the  call  tree  while 
discharging  and  abstracting  hypothetical  parameter  blocks.  Simultaneously,  we  construct  the 
4U  A',  extensions  of  the  original  generalized  context  and  meta-assumptions  list.  In  the  last  step, 
nothing  has  been  done,  so  both  extensions  are  empty. 

-  . 

A'(5)  =  • 

In  the  step  before  that,  two  assumptions  were  recorded,  one  in  the  generalized  context,  the  other 
in  A: 

=  P:(E'  x)  =U  (E1  x) 

A/(4)  =  T 

Note,  that  \E^4)  is  a  generalized  context,  and  A^4),  A^4)  is  a  meta-assumption  list.  Another 
step  before,  we  applied  the  LV  rule,  and  thus,  we  add  the  newly  generated  meta- assumption  to 
the  left. 

$'(3)  =  P:(E'x)=U  (E1  x) 

A'<3)  =  3D  :  (E'  x)  =k>  (E'  x).  T 
T 

Note,  that  we  maintain  the  invariant  that  A^,  A'(4)  is  a  valid  meta-assumption  list. 

T'(2)  =  P:(E'x)=U  {E1  x) 

A'(2)  _  v£  :  term  T.  3D  :  E  =4  E.  T, 

3D  :  (E'  x)  =U  (E'  x).  T, 

T 

The  last  step  in  this  example  is  the  important  step  because  it  demonstrates  how  to  discharge 
assumptions  by  abstracting  and  internalizing  the  newly  assumed  parameter  block  from  the 
first  application  of  the  parameter  introduction  rule.  Informally,  we  apply  Equation  (4.1)  to  all 
assumptions  in  in  order  to  obtain  ' .  and  simply  bind  the  new  meta-level  assumptions 
byn.  The  result  is 

^/(l)  =  p-ux:  term  T.Uu  :  x  =!=>  Z.  (E1  x)  =U  {E'  x) 

A'W  =  n(s  :  term  T,  u  :  x  x)L.  ME  :  term  T.  3D  :  E  =U-  E.  T, 
n(z:termT,u:x  =U  x)L .  3D  :  {E'  x)  (E1  x).  T, 

II(x  :  term  T,u  :  x  =^>  x)L.T 

and  the  proof  can  continue  with  A'^1),  A'^1),  that  is: 

vjr'f1)  =  T  :  tp,  T' :  tp,  E'  :  term  T  — >  term  T' 

P  :Ux  ■.  term  T.Uu  :  x  =^>  x.  (E1  x)  (E'  x) 

A(!)5  A't1)  =  VT  :  tp.  ME  :  term  T.3D-.E  =U  E.T 

II(£  :  term  T,u:x  x)L.  VE  :  term  T.  3D  :  E  =^-  E.  T, 

1%  :  term  T,u:x  =^>  x)L.  3D  :  (E'  x)  (E1  x).  T, 

II(z  :  term  T,u:x  =^>  x)L.  T 
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This  concludes  our  motivational  example  of  how  to  formalize  hypothetical  reasoning.  The 
skeptical  user  might  wonder,  why  is  is  necessary  to  also  maintain  A'.  As  a  matter  of  fact,  it 
is  not.  But  because  partially  applied  lemmas  are  always  available  in  a  regular  intuitionistic 
sequent  calculus  we  have  decided  to  also  keep  them  in  A 4-j". 

What  remains  to  be  done,  is  a  formal  definition  of  the  rules  that  we  have  used  in  this  example. 
We  start  with  the  presentation  of  the  interface  rule  sel  which  triggers  a  sequence  of  left  rules,  in 
a  very  similar  manner  as  shown  in  the  example  above. 

$;Ah^;A'  <F,  A,  A' b  F 

- sel 

f;Ah  F 

The  first  rule  Ldone,  is  the  rule  which  terminates  a  sequence  of  left  rules.  It  is  basically  the 
complementary  rule  to  sel,  which  can  be  seen  as  initiator  of  a  sequence  of  left  rules. 

-  Ldone 

1';  Ah- 

The  second  rule  Lnew  supports  the  introduction  of  new  parameters.  VI'':  A'  are  the  re¬ 
turning  extensions  of  the  generalized  context  and  the  meta-assumptions,  which  are  accordingly 
abstracted.  Tentatively,  as  a  first  sketch,  we  write  Up.  A  to  abstract  over  a  variable  block. 

U-.A2  =  A2 

II(.r  :  A\,p).  A'i  =  Ux  :  A\.(Up.  A2) 

Note  that  this  definition  omits  the  underlines  below  x  because  the  result  of  abstraction  lives  in 
LF.  Our  definition  of  abstraction  can  be  easily  generalized  to  lists  of  assumptions:  UpL .  (T';  A'). 
Note,  that  this  II  is  not  a  constructor,  neither  in  LF  nor  in  M.2,  it  is  merely  an  abbreviation 
for  a  function,  that  performs  the  abstraction  on  the  fly.  In  Section  C.2.2  we  refine  abstractions 
to  account  only  for  variables  declarations  that  may  occur  in  the  body  of  A.  Declarations  which 
cannot  occur  in  A  should  be  omitted. 

(SOME  Cj.  BLOCK  C2)L  e  S  T  b  a  :  Ci  tth  p=a[a]C2  S',  pL\  A  b  S'';  A' 

- — - Lnew 

$;A  b  n/.^AA') 

The  LV-  and  the  LII  rule  generalize  the  LV  rule  from  above.  Note  that  we  must  ensure,  as 
premiss  in  LV,  that  M  is  well-typed,  and  likewise,  as  premiss  in  LII,  that  p'  is  well-typed.  In  the 
former  case  we  use  the  typing  judgments  from  LF,  in  the  latter,  abstract  type  convertibility  for 
variable  blocks. 

$;Ah  V.t  :  A.  F  S' b  M:A  S':  A,  F[M/x]  b  S'';  A' 

— - - - LV 

S';  A  b  S'';  F[M/x],  A' 

^;AbnpL.E  p'LeS'  <Fb  p'=ap  V-,A,F[p'/p]  b  tt';A' 

- - - Ln 

4/;  A  b  'F';  F[p'/p],  A' 

The  L3  rule  is  the  only  rule  which  extends  the  generalized  context  XV . 

$;Ab3  x:A.F  V.x  :  A;A.Fb  A' 

- - : - L3 

<!>-,A\-x:A,y'-,F,A' 


118 


CHAPTER  5.  THE  META-LOGIC  M\ 


119 


Finally,  there  are  to  rules  which  project  the  left  or  right  proof  term  from  a  conjunction. 


A  h  Fi  A  F2  *;A,F1  h$';A' 
$;Ah  9';FU  A' 


LAx 


9;  A  h  F{  A  F2  A,  F2  h  A' 

^;Ab^';F2,A' 


LA2 


This  concludes  our  presentation  of  the  proof  system  for  M 2".  On  the  one  hand,  the  proof  system 
borrows  many  ideas  and  concepts  from  the  sequent  calculus  for  intuitionistic  logic,  on  the  other 
it  is  significantly  different.  In  order  to  accommodate  hypothetical  reasoning,  for  example,  the 
original  judgments  must  be  specialized.  New  parameter  blocks  are  introduced  by  the  rule  Lnew 
which  also  abstracts  the  results  of  applying  the  induction  hypothesis  appropriately.  The  method 
of  abstraction  is  not  as  straightforward  as  it  may  seem  from  the  examples  above,  we  postpone 
the  detailed  discussion  until  Section  6.2.2. 

The  remainder  of  this  chapter  is  organized  in  three  parts.  First  we  add  proof  terms  to  M  J , 
which  formalize  meta-proofs  by  summarizing  entire  .M^-derivations  and  which  form  the  basis 
of  our  soundness  argument.  Second,  we  add  two  rules  in  order  to  express  case  analysis  and 
recursion  in  order  to  generalize  the  proof  term  calculus  to  a  calculus  for  recursive  functions  and 
third  we  add  lemmas  to  the  meta-logic.  Recursion  and  case  analysis  allow  us  to  encode  proofs 
“by  induction”  over  higher-order  encodings  that  may  violate  the  positivity  condition  associated 
with  standard  inductive  definitions. 


5.5  Proof  Term  Calculus 

In  this  section,  we  endow  the  proof  calculus  of  M.%  with  proof  terms.  Proof  terms  are  very  concise 
representations  of  derivations  in  a  formal  system.  As  a  matter  of  fact,  given  a  proof  term  for  a 
theorem,  the  original  derivation  can  be  unambiguously  reconstructed.  But  this  is  not  the  only 
advantage  of  proof  terms:  In  general  it  is  possible  to  interpret  them  operationally.  Consider  the 
natural  deduction  calculus  for  propositional  logic  by  Gentzen  [Gen35,  Pra65].  Each  derivation 
of  a  formula  can  be  uniquely  represented  by  a  simply-typed  A-term  using  the  propositions-as- 
types  principles.  This  observation  goes  back  Howard  [How69]  and  is  commonly  known  as  the 
Curry-Howard  isomorphism.  In  this  work,  we  interpret  proof  terms  as  recursive  function,  and 
by  an  argument  of  realizability  interpretation  we  will  eventually  infer  the  soundness  of  M By 
moving  the  soundness  argument  of  M^  form  the  logical  level  to  the  proof  term  level,  we  manage 
to  avoid  stating  explicit  induction  principles  for  higher-order  encodings.  Instead,  we  argue  that 
M\  is  sound,  because  it  only  admits  proof  terms  that  guarantee  complete  case  coverage  and 
well-founded  recursion. 

We  begin  with  the  presentation  of  a  proof  term  calculus  for  M  In  Chapter  6  we  then  define 
a  type  preserving  operational  semantics  for  it,  and  in  Chapter  7  we  will  show  that  each  function 
is  total,  yielding  a  soundness  proof  for  M  All  recursive  functions  presented  in  Chapter  4  are 
proof  terms.  For  improved  readability,  so  far  we  have  used  some  syntactic  sugar  in  order  to  make 
proof  terms  more  accessible  to  the  user,  and  we  omitted  for  example  all  implicit  arguments  in 
order  to  simplify  the  presentation,  but  in  essence,  the  proof  terms  we  present  in  this  section 
have  all  been  already  discussed  informally.  As  example,  consider  the  proof  of  the  reflexivity 
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Lemma  4.3. 


fun  refl  x  =  u 

|  refl  (lam  (Ax  :  term  T. E'  x))  = 

let 

new  x  :  term  T,u:x  =4>  x 
val  P  xu  =  refl  (E1  x) 
in 

plam  (Ax  :  term  T.  Xu  :  x  =^-  x.  P  x  u) 

end 

|  refl  (app  Ei  E2)  = 

let 

val  Pi  =  refl  E] 
val  P'2  =  refl  E2 
in 

papp  Pi  P2 

end 


In  this  section  we  concentrate  on  proof  terms  representating  the  body  of  each  of  the  cases. 
The  presentation  of  proof  terms  for  pattern  matching  and  recursion  is  postponed  until  the  next 
Section  5.6.  There  are  three  kinds  of  proof  terms:  general  proof  terms  for  general  provability 
judgments  b  G,  proof  terms  or  programs  for  the  right  rules  expressed  by  the  judgment  AhF, 
and  declarations  for  the  left  rules,  expressed  by  the  provability  judgment  $;A  h  'I'';  A'.  General 
proof  terms  are  abbreviated  with  Q,  proof  terms  with  P  and  declarations  with  D.  In  order  not 
confuse  provability  on  the  meta-level  with  typability  on  the  logical  framework  level,  we  use  E  as 
the  structural  symbol  in  A  and  between  proof  terms  and  formulas. 


Judgments 

Provability  of  general  formulas:  b  Q  €  G 
Provability  of  formulas:  'I';  A  b  P  E  F 

Provability  of  declarations:  $;Ab  D  €  A' 

In  the  following  three  subsections,  we  define  proof  terms  for  each  of  the  three  judgments. 


5.5.1  Provability  of  General  Formulas 

There  is  only  one  general  formula.  It  is  the  closure  operator,  and  it  binds  the  context  schema  in 
which  the  formula  makes  sense.  It  is  mandatory  to  represent  the  context  schema  on  the  level  of 
proof  terms  since  we  cannot  apply  a  lemma  without  validating  the  context  schema  of  the  called 
lemma. 


General  proof  terms:  Q  box  S.  P 

•;b  PeF 

- generaIR 

b  box  S.P  e  n  s.F 

Note  again  that  the  judgment  in  the  premiss  of  this  rule  is  implicitly  indexed  by  the  context 
schema  S.  We  discuss  how  to  use  proofs  of  generalized  formulas  as  lemmas  in  Section  5.7. 
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5.5.2  Provability  of  Formulas 

The  proof  terms  for  the  provability  judgment  for  formulas  and  inference  rules  provide  an  oper¬ 
ational  interpretation  of  derivations  in  Recall  that  the  provability  judgment  of  formulas  is 
defined  by  the  right  rules  of  the  proof  calculus  of  ■  Proof  terms  for  the  judgment  whose  va¬ 
lidity  is  given  by  left  rules  are  presented  in  Section  5.5.3.  We  start  with  endowing  the  axvar-rule 
with  a  proof  term.  As  in  any  other  proof  term  calculus  [Gal93]  assumptions  are  named  and  the 
name  of  an  assumption  is  used  as  the  proof  term.  Specifically,  in  our  setting,  meta-assumptions 
are  labeled  with  variable  names.  Since  this  is  already  the  third  variable  concept  presented  in  this 
thesis,  but  the  first  for  the  meta-level,  we  call  them  meta-variables  and  use  little  bold  Roman 
letters  to  denote  them  (x,y,z).  The  list  of  meta- assumptions  is  generalized  accordingly. 

Meta-assumptions:  A  ::=  •  |  A,x  €  F 

As  usual,  we  assume  that  all  meta-variable  names  among  meta-assumptions  in  A  are  pairwise 
distinct.  Assigning  meta-variable  names  to  meta-assumptions  extends  the  rule  vmeta  slightly. 

I-  3»  abstract  ^  hA  meta  $  hF  formula 

- vabstract  - — —  vmeta 

3’  b  •  meta  *3/  b  A,  x  G  F  meta 

All  meta- variables,  defined  in  A  are  subject  to  instantiation.  And  instantiations  of  variables 
is  best  described  by  substitutions.  In  particular,  in  the  case  of  meta-contexts  and  meta- variables, 
we  introduce  the  notion  of  meta-substitution^  and  denote  it  with  8. 

Meta-substitutions:  8  ::=  -\8,P/x 

The  newly  introduced  meta-variables  are  used  as  proof  terms  for  the  rule  axvar.  If  x  G  F  is 
an  assumption  in  A,  then  x  is  a  proof  term  for  F. 

(x  €  F)  G  A 

- axvar 

T;  A  b  x  G  F 

The  proof  term  for  the  RV-rule  is  a  simple  abstraction,  similar  to  the  A-abstraction  in  the 
standard  simply-typed  A-calculus.  The  proof  term  has  the  form  Ax  :  A.  P.  Similarly,  the  proof 
term  for  Rn  is  an  abstraction  over  variable  blocks,  which  can,  at  runtime,  only  be  instantiated 
with  other  variable  blocks.  The  proof  term  for  Rn  has  the  form  A pL.  P. 

V,x  :  A;A  \- P  G  F  <&,pL;A\-PeF 

- RV  - ; - - —  Rn 

3»;  A  b  A x  :  A.P  €Vx  :  A.F  3';  A  h  A pL.  P  G  Up L.  F 

Not  surprisingly,  the  proof  term  for  the  R3-rule  looks  like  a  pair  (M,  P),  where  M  is  a  well-typed 
LF  object  —  the  witness  object  for  the  existential  —  and  P  is  the  proof  term  for  the  body  of  the 
existential  formula.  As  a  matter  of  fact,  the  proof  term  for  the  conjunction  rule  is  very  similar; 
it  is  also  a  pair,  where  each  component  is  a  proof  term  of  the  left  and  right  formula,  respectively. 
Its  form  is  (Pi .  P2). 


3>  b  M  :  A  3>;  A  b  P  G  F[M/x] 
3>;  A  b  (M,  P)  €  3x  :  A.  F 


3>;  A  b  Pj  G  F\  3f ;  A  b  P2  G  P2 
3*;Ab  (Pj,  P2)  G  Pi  A  P2 
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The  rule  for  T  is  endowed  with  the  symbol  ()  as  proof  term.  Clearly,  ()  does  not  expect  any 
arguments. 

- RT 

$;Ah()eT 

And  finally,  there  is  a  proof  term  for  the  interface  rule  sel.  A  derivation  of  the  provability 
judgments  for  declarations  corresponds  exactly  to  the  list  of  declarations  in  a  let-expression,  as 
it  is  depicted  in  the  following  excerpt  from  the  proof  of  the  reflexivity  Lemma  4.3  for  parallel 
reduction. 

let 

new  x  :  term  T,u:  x  x 
val  P  xu  =  refl  ( E '  x) 
in 

plam  (A.t  :  term  T.  Xu  :  x  ===>  x.  P  x  u) 

end 

The  list  of  declarations  is  represented  by  declarations  D.  the  proof  term  for  the  body  is  P. 
Together  they  form  the  arguments  to  a  proof  term  for  the  sel-rule  which  we  denote  as  let  D  in  P. 

$;Ahf)6  T';  A'  4','F':A.  A' b  PeF 

- - sel 

4';  A  b  let  D  in  P  €  F 

All  in  all,  there  are  seven  different  proof  term  constructors,  one  for  each  rule,  and  all  are  different. 
That  is,  given  a  proof  term,  one  can  immediately  reconstruct  the  derivation  by  decomposing  a 
proof  term  into  its  components.  Here  is  a  complete  list  of  all  the  proof  terms  for  formulas. 

Proof  terms:  P  x  |  Ax  :  A.  P\  A pL.  P  \  (M,  P)  \  (Pi ,  P2)  \  ()  |  let  D  in  P 

This  concludes  the  presentation  of  proof  terms  for  the  provability  judgment  for  formulas.  On 
the  one  hand,  this  fragment  is  very  weak,  because  it  can  neither  apply  induction  hypotheses, 
nor  lemmas,  nor  perform  any  kind  of  case  analysis,  but  on  the  other,  we  can  already  represent 
small  easy  proofs.  As  example  consider  the  following  very  simple  lemma  that  states  that  the 
two  single  parallel  reduction  steps  can  be  appended  to  a  multi-step  parallel  reduction. 

Lemma  5,11  (Append  two  single  parallel  reduction  steps)  IfV \  ::  e\  e2  and  V2  :: 

e2  e3  then  there  exists  a  V  ::  e\  ===>  e%. 

Its  formalization  in  has  the  following  form: 

D •.  VT  :  tp.VjEi  :  term  T.\/E2  :  term  T.  :  term  T. 

VT>i  :  Ex  E2.VD-2  :  E2  =4  £3. 

3P  :  Ei  =£»  E'i.J 

And  the  proof  is  very  simple: 

- pid 

E‘2  E:i  E%  E3 

V\  - pstep 

E\  =U  E2  E2  E:i 

- — - pstep 

Ex  £3 
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and  so  is  its  representation  as  a  proof  term  in  ■ 

box  •.  AT  :  tp.  AE\  :  term  T.  A E2  :  term  T.  AE3  :  term  T. 

A D\  :  E\  =r-  Ei-  AD2  •  E2  ==>■  E$. 

(pstep  Di  (pstep  D2  pid),  ()) 

In  order  to  show  more  interesting  examples,  we  must  decorate  the  left  rules  with  declarations 
and  add  case  distinction  and  recursion.  Therefore,  a  complete  proof  term  for  the  reflexivity 
lemma  can  only  be  given  at  the  end  of  Section  5.6. 

5.5.3  Provability  of  Declarations 

The  proof  terms  D  for  the  provability  judgment  'F;  A  b  D  G  T';  A'  are  called  declarations, 
because  they  correspond  directly  to  the  sequence  of  declarations  in  a  let  statement.  In  this 
subsection  we  show  how.  Declarations  are  represented  as  a  list.  The  simplest  declaration  is 
hence  the  empty  list,  and  it  is  the  proof  term  of  Ldone.  Following  the  line  of  empty  contexts, 
empty  signatures,  and  empty  context  schemas,  we  denote  the  empty  proof  term  with  . 

-  Ldone 

T;Ab-€-;- 

The  proof  term  for  Lnew  has  the  form  u  pL.D ,  where  pL  is  a  variable  block  representing  the 
newly  assumed  parameter  block,  and  D  is  the  list  of  subsequent  declarations. 

S{L)  =  SOME  C\.  BLOCK  C2  <F  b  a  :  Cx  <F  b  p  =a  [a}C2  f,pL;AbI)e$';A' 

- - - - Lnew 

$;Ab  v  pL.D  e  UpL.(^'-,A') 

The  declarations  for  LV  and  Ln  are  very  similar.  In  the  first  case,  the  declaration  y  €  F[M/x]  = 
P  M,  and  in  the  second  y  C  F[p' /p]  =  P  p'  is  added  to  the  list  of  already  determined  declarations 
D.  To  judge  by  the  form,  P  is  a  functional  proof  term  in  both  cases,  expecting  an  LF  object  M 
as  argument  in  the  first  case,  and  expecting  a  variable  block  p'  in  the  second. 

T;Ab  PeVx:A.F  ^  b  M  :  A  T;  A,  y  €  F[M/x]  b  D  G  <F';  A' 

- - LV 

<F;  A  b  (y  e  F[M/x\  =  PM:D)e  (<F';  y  G  F[M/x],  A') 

^;A\-PeUpL.F  p'L  G  'F  <F  b  p' =a  p  <F;  A,  y  G  F[p'/p]  b  D  G  >F';  A' 

T;  A  b  (y  G  F\p ’/p]  =  P  p\  D)  €  (T';  y  G  F\p'/p],  A')  LI1 

The  left  rule  for  3  captures  the  result  of  an  induction  hypothesis  and  adds  it  to  the  generalized 
context.  Formally,  it  is  expressed  by  the  declaration  {x  :  A,  y  G  F)  —  P  where  P  is  a  proof  term, 
which  computes  a  pair  (M,  P')  and  the  declaration  operations  bind  x  to  M  and  y  to  P'.  And 
again,  as  we  will  see  in  the  next  chapter  x  and  y  must  be  explicitly  typed. 

’F;  A  b  P  G  3x  :  A.  F  V,x  :  A;  A,y  G  F  b  D  G  'F';  A' 
f;Ah((ri,y€f)  =  P,D)  G  (x  :  A,  ’F'jy  G  F,  A') 

Finally,  there  are  two  projection  rules  for  conjunction  on  the  left.  Informally  these  rules  are 
used  to  pick  which  induction  hypothesis  is  supposed  to  be  applied  when  proving  a  mutually 
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inductive  theorem.  The  declaration  for  selecting  the  left  induction  hypothesis  is  x  G  F[  =  m  P, 
and  he  one  of  the  right  is  not  very  surprisingly  x  G  P2  —  7r2  P  where  P  represents  the  proof  of 
the  mutual  inductive  theorem. 

A  b  P  G  Pi  A  F2  A,  x  G  F\  h  D  G  A' 

. . . . . . . LAi 

$;Ah  (xGPi  —  7Tj  P,2?)  G  (4>';x  G  Pi,  A') 

A  h  P  G  Pi  A  F2  ^;A.xGF2^G  A' 

-  LA‘2 

T;  A  h  (x  G  P2  =  tt2  P,  D)  G  ($';  x  G  P2,  A') 

Alternatively,  one  could  replace  these  two  rules  by  one  rule  that  introduces  both  projections 
simultaneously. 

All  in  all,  there  are  six  different  forms  of  declarations,  each  represents  one  rule.  I11  particular, 
a  proof  term  for  a  derivation  in  M\  is  simply  a  series  of  declarations. 

Declarations :  D  ::=  •  \  v  pL .  D  \  x  e  F  =  P  M,  D  \  x  £  F  —  P  p,  D 

|  (x  :  A,  y  G  F)  —  P,  D  |  x  G  F  =  tti  P  D  |  x  G  F  =  7r2  P,  D 

This  concludes  the  presentation  of  proof  terms  for  the  left  rules  of  AfJ,  and  completes  the 
presentation  of  proof  terms  for  the  core  of  the  meta-logic  ATj".  The  proof  term  calculus  is 
obviously  not  completely  defined  yet  because  none  of  the  non-trivial  left  rules  are  applicable. 
The  attentive  reader  might  have  already  noticed  that  A  must  be  empty  since  none  of  the  right 
rules  extends  it.  Hence,  none  of  the  left  rules  (except  Ldone)  is  applicable  in  the  system  defined 
so  far.  This  is  going  to  change  when  we  introduce  recursion  and  case  analysis  operators  in  the 
next  Section  5.6.  I11  particular,  there  are  no  interesting  examples  we  could  develop  in  this  version 
of  M-2  ?  therefore  we  delay  an  example  until  the  end  of  the  next  section. 

5.6  Induction 

As  motivated  in  Section  4.1,  induction  is  an  important  technique  when  it  comes  to  reason  about 
programming  languages,  logics,  and  type  systems.  Informally,  reasoning  by  induction  about 
programming  languages  is  a  not  too  difficult  concept,  but  formalizing  it  in  the  presence  of 
higher-order  representations  is  problematic. 

The  main  drawback  of  standard  induction  principles  is  the  closed  world  assumption,  which 
restricts  the  formalization  of  deductive  systems  to  encodings  that  satisfy  the  positivity  condition. 
The  datatype  defined  must  only  occur  in  positive  positions  in  its  constructor  types.  Thus 
inductive  definitions  are  very  restrictive,  in  fact,  they  are  too  restrictive  to  handle  higher-order 
encodings.  The  entire  proof  of  the  Church-Rosser  theorem,  for  example,  from  Chapter  4  in  all 
its  elegance  is  simply  not  directly  representable  in  a  framework  which  only  provides  standard 
induction  principles. 

The  goal  and  challenge  of  this  section  is  to  extend  by  constructs  to  support  the  formal¬ 
ization  of  inductive  arguments.  Instead  of  trying  to  define  induction  principles  for  higher-order 
encodings,  we  propose  a  design  based  on  a  realizability  interpretation  of  proof  terms.  In  particu¬ 
lar,  the  solution  we  are  proposing  in  this  thesis  is  to  extend  the  proof  term  calculus  to  a  recursive 
functional  calculus,  where  all  functions  are  total  —  i.e.  realizers.  Specifically,  we  are  extending 
M2  by  the  two  principles  which  are  sufficient  to  formalize  inductive  arguments:  well-founded 
recursion  and  complete  case  analysis. 
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Well-founded  recursion  as  opposed  to  simple  recursion  guarantees  that  the  computation  of 
any  recursive  function  is  terminating.  There  cannot  be  any  infinite  chains  of  recursive  calls. 
Recursion  is  discussed  in  Section  5.6.1. 

Complete  case  analysis  as  opposed  to  simple  case  analysis  guarantees  that  while  executing  a 
recursive  function  some  case  will  be  applicable.  Therefore  the  execution  of  any  recursive  function 
can  never  get  stuck.  The  technique  of  complete  case  analysis  is  discussed  in  Section  5.6.2.  The 
exact  definition  of  what  it  means  to  execute  a  recursive  function,  i.e.  its  operational  semantics 
is  presented  in  Chapter  6. 

By  guaranteeing  well-founded  recursion  and  complete  case  analysis,  all  recursive  function  in 
M-2  are  total,  and  consequently,  it  is  a  sound  meta-logic  based  on  a  realizability  interpretation 
of  its  proof  terms. 

5.6-1  Well-Founded  Recursion 

Well-founded  recursion  is  expressed  by  the  standard  fixed-point  rule  with  an  open-ended  side 
condition.  The  new  proof  term  has  the  form  //x  G  F.P.  x  is  a  meta-variable,  and  P  the  body  of 
the  fixed-point  operator,  where  x  may  occur  as  a  free  variable.  Informally,  executing  //x  G  F.P 
means  to  replace  all  occurrences  of  x  in  P  by  jux  G  F.  P,  but  this  is  discussed  in  the  next 
Chapter. 


Proof  Term:  P  . . .  |  /ix  G  F.  P 

The  main  emphasis  of  this  investigation  is  how  to  enforce  termination  when  executing  the  fixed- 
point  operator.  In  our  development,  we  assume  that  we  have  only  one  outermost  fixed-point 
operator.  If  the  fixed-point  variable  x  occurs  someplace  else  in  the  body,  it  is  typically  applied 
to  some  arguments. 

The  critical  insight  into  the  issue  of  termination  is,  that  the  vector  of  arguments  to  which  x 
is  applied  is  strictly  smaller  than  the  vector  of  arguments  the  function  was  originally  called  with. 
The  “smaller”  relation  must  be  some  well-founded  order,  i.e.  the  termination  order  we  specified 
with  each  proof  in  Chapter  4.  Naturally,  this  order  must  be  fixed  for  all  occurrences  of  x.  This 
way,  we  can  guarantee  that  each  chain  of  recursive  calls  is  finite,  and  hence  the  execution  of  any 
recursive  function  must  be  terminating. 

\£q  A,  x  G  F  h  P  G  F 

- Rctx 

$;Ah  /ixGf.PGf1 

The  typing  rule  for  the  fixed  point  is  standard,  but  the  side  condition  is  not.  For  now,  we 
leave  it  purposely  informal,  a  more  concise  formulation  is  left  to  Section  7.2. 

P  terminates  in  x  (5.1) 


5.6.2  Complete  Case  Analysis 

Well-founded  recursion  and  complete  case  analysis  turn  the  proof  term  calculus  into  a  calculus  of 
total  recursive  functions.  In  particular,  we  discuss  in  this  section  of  how  to  add  a  case  operator 
to  the  meta-logic,  and  how  to  enforce  that  case  analysis  is  always  complete.  What  characterizes 
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case  analysis?  In  order  to  answer  this  question,  we  start  the  discussion  with  the  reflexivity 
Lemma  4.3  for  parallel  reduction  as  example. 

□  (SOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  x)L. 

VT  :  tp.  ME  :  term  T.3D  :  E  =U  E.T 

In  the  proof  we  distinguished  cases  over  the  term  e  which  is  represented  in  LF  as  E  :  term  rr~1. 
A  closer  look  at  e  led  us  to  consider  three  cases.  One  case  was  the  global  parameter  case,  the 
second  the  lam-case,  and  the  third  the  app-case.  It  is  this  case  analysis  we  would  like  to  model 
in  M2  .  We  omit  the  leading  context  schema  quantification. 

Case:  In  the  first  case,  the  parameter  context  must  contain  at  least  one  parameter  block  of  the 
form  x  :  term  T,u:x  =>  x ,  that  means,  that  we  have  to  prove  the  formula 

VT  :  tp.  U{x  :  term  T,u:x  x)L.  3D  :  x  x.  T 

Case:  In  the  second  case,  there  is  no  parameter  block,  but  there  is  a  function  representing  the 
body  of  the  A-term. 

VT]  :  tp.  VT2  :  tp.  Vj E'  :  term  T\  —>•  term  T2.  3D  :  lam  Ef  =>  lam  £*'.  T 

Case:  In  the  last  case,  there  are  two  new  assumptions,  one  represents  the  function,  and  the 
second  its  argument. 

VTi  :  tp.  VT2  :  tp.  VTj  :  term  ( T2  arrow  T\).  \/E‘2  :  term  T2. 

3D  :  app  E\  E 2  app  E\  £2.  T 

The  first  observation  is  that  case  analysis  is  not  local;  in  general  we  have  to  consider  more 
than  one  assumption  in  4'.  For  example  in  all  three  cases  above  the  formula  3D  :  E  E .  T  is 

refined  by  instantiating  E  with  the  concrete  forms  E  takes  in  each  case,  4V’  in  the  first,  “lam  Efn 
in  the  second  and  “app  E\  £2”  in  the  third.  In  particular,  if  E  occurred  in  the  types  of  other 
universally  quantified  assumptions,  these  occurrences  would  be  instantiated,  too.  Moreover, 
because  of  dependencies,  consider  cases  over  one  assumption  might  partially  instantiate  others. 
To  see  that,  consider  the  diamond  Lemma  4.6. 

□SOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  =U  x. 

VT  :  tp.  \/E  :  term  T.  ME1  :  term  T.  VEr  :  term  T. 

\/Dl  :  E  El.\/Dr  :  E  =U  Er . 

3E'  :  term  T.  3Rl  :  El  -4  E\  3 Er  :  Er  =U  Ef.  T 

In  its  proof,  the  first  proof  operation  we  performed  was  a  case  analysis  on  D1 .  The  first  case 
to  be  considered  is  that  Dl  is  instantiated  with  a  global  parameter  u.  Since  u  :  x  =>  x ,  for 
x  :  term  T,  declared  by  the  same  variable  block,  clearly  E  and  El  must  equal  x.  The  same  holds 
for  the  next  case  that  Dl  is  instantiated  “pbeta  D[  D12v.  Because  of  dependencies,  this  means 
that  E  must  have  been  instantiated  with  “app  (lam  E\)  E 2”  for  an  E\  of  type  term  T\  — >  term  T 
for  some  type  T\.  And  E!  must  be  the  result  of  applying  some  E[  (an  LF-function)  to  some  E2 
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(of  appropriate  type).  While  abstractly  describing  the  case  analysis,  we  do  not  know  exactly 
what  E[  and  E'2  are  instantiated  with,  we  only  know  that  they  must  exist. 

Formally,  all  universal  assumptions  in  the  examples  are  represented  by  a  generalized  context 
4».  Subsequently,  each  case  analysis  of  4/  leads  to  a  new  generalized  context  4''.  As  example, 
consider  the  reflexivity  Lemma  4.3. 

Example  5.12  (Case  analysis  in  reflexivity  Lemma  4.3:)  The  form  of  the  generalized 
context  representing  all  universally  quantified  assumptions  right  before  case  analysis  is 

4>  =  T  :  tp,  E  :  term  T 

and  the  form  of  the  generalized  context  in  each  of  the  cases  right  after  case  analysis  are 

Case:  4/j  =  T  :  tp,  (x  :  term  T,u:x  =U>  x)L 

Case:  4^  =  Ij  :  tp,  :  tp,  E'  :  term  T\  —¥  term  T2 

Case:  4/3  =  T\  :  tp,  T2  :  tp,  E\  :  term  (T2  arrow  T\),  E2  :  term  T2 

As  second  example,  consider  the  diamond  Lemma  4.6. 

Example  5.13  (Case  analysis  in  diamond  Lemma  4.6)  The  form  of  the  generalized  con¬ 
text  representing  all  universally  quantified  assumptions  right  before  the  first  case  analysis  is 

4/  =  T  :  tp,  E  :  term  T,  El  :  term  T,  Er  :  term  T,Dl  :  E  El ,Dr  :  E  ==^  ET 

and  the  form  of  the  generalized  context  in  each  of  the  cases  right  after  case  analysis  on  Dl  are 

Case:  4 '[  =  T  :  tp,  (x  :  term  T,u:x  =>  x)L , Er  :  term  T,Dr  :  x  ==>  Er 

Case:  4>2  =  T  :  tp,Ti  :  tp, £j  :  term  Tj  — t  term  T,  E2  :  term  T\,E[  :  term  T\  — ¥ 
term  T,  El2  term  Ti,Er  :  term  T,D[  :  na:  :  term  T±.x  =^>  x  ->  E\  x  =U>  E[  x,D12  : 
E2  El2,  Dr  :  (app  (lam  Ex)  E2)  =k  Er 

Case:  4 ?3  =  T  :  tp ,T  :  tp ,E  :  term  T  term  T',El  :  term  T  ->  term  T',Er  : 
term  ( T  arrow  T'),Dl  :  na:  :  term  T.  x  x  ->•  E  x  El  x ,  Dr  :  (lam  E)  Er 

Case:  T4  =  T\  :  tp,T2  :  tp,Ei  :  term  T2  ->  term  T\,E2  :  term  T2,E[  :  term  T2  term  T\,El2  : 
term  T2,Er  :  term  T\,D[  :  E\  =U-  E[,Dl2:E2  ==>  El2,  Dr  :  app  Ei  E2  Er 

Again,  all  assumptions  in  4f,1, . . . ,  ^4  represent  exactly  the  available  assumptions  after  case 
analysis  of  the  first  parallel  reduction  Dl,  as  implicitly  assumed  in  the  informal  presentation  of 
the  proof  of  Lemma  3.7.  There  the  situation  is  slightly  different,  because  we  performed  two  case 
analysis  at  once,  whereas  here,  we  only  present  the  one  over  Dl. 

It  is  one  of  the  major  technical  contributions  of  this  thesis  of  how  to  design  the  case- 
distinction  operator  in  order  to  capture  this  refinement  of  generalized  contexts.  Our  solution 
employs  generalized  substitutions  (defined  for  generalized  contexts)  whose  definition  we  address 
in  the  following. 
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A  generalized  substitution  is  defined  very  similarly  to  LF  level  substitutions  in  Section  5.2. 
The  main  difference  is,  that  its  domain  and  its  co-domain  are  generalized  contexts,  and  therefore 
a  special  case  for  substituting  context  variables  must  be  provided;  only  variable  blocks  can  be 
substituted  for  variable  blocks.  Generalized  substitutions  are  denoted  by  */>• 

Generalized  substitutions:  i/j  ::=  •  |  i/j,  M/x  \  /p 

The  composition  of  generalized  substitutions  is  very  similar  to  Definition  5.1  with  one  extra  case 
for  variable  blocks. 

Definition  5.14  (Composition  of  generalized  substitutions) 

•°  fa  =  if)  2 

(V’i ,  M/x)  O  ip2  =  (V;i  °  V;2 ),  M[il>-2\/x 
(V-’i ,  p'/p)  °  V;2  =  (V’ i 0  V;2 ),  bl^p'/p 

where  we  write  [fa\p  to  apply  a  generalized  substitution  to  a  variable  block,  or  more  precise  to 
the  types  declared  within.  The  prefix  notation  indicates  that  the  substitution  is  applied  to  a  list 
of  entities.  It  is  an  abbreviation  for 


[#  -  * 

-  A,  p)  =  x  :  A[p],  [fa  x/x\p 

Note  that  if  p  =  X\  :  Ai, . . .  ,xn  :  An  and  p'  =  :  i?i, . . .  ?y??  :  Bn,  then  p/p'  is  a  substitution 

which  substitutes  Xj_  for  yz  for  all  i  <  n.  Specifically,  [fa }pf  updates  only  the  type  information 
in  p'  but  leaves  the  variable  names  in  p'  untouched.  In  our  shorthand  notation  [fa]pf /p  denotes 
exactly  the  same  generalized  substitution  as  p'/p  does,  but  the  co-domain  may  be  different. 

Returning  to  the  Example  5.12  of  the  reflexivity  Lemma  4.3,  there  are  three  generalized 
substitutions  V;i,  V;2,  V;3:  one  associated  with  each  case: 

Example  5.15  (Generalized  substitutions  and  the  reflexivity  Lemma  4.3) 

Case:  The  first  case  of  the  proof  translates  into  fa  —  T / T,x/E ,  where  4'  is  its  domain  and  4' \  its 
co-domain.  The  x/E  in  the  substitution  corresponds  to  the  x  in  the  informal  presentation 

in  Lemma  3.4,  where  x  is  declared  of  the  variable  block  p  =  x  :  term  T,u  :  x  =>  x. 
In  this  special  case  x  is  a  binding  occurrence  of  a  parameter  block.  There  can  also  be 
non-binding  occurrences  of  variable  blocks,  which  we  encounter  in  the  example  about  the 
diamond  lemma  below. 

Case:  The  second  case  is  also  expressed  by  a  simple  substitution  relating  4d2  to  4;:  fa  = 
(T]  arrow  T2 ) /T,  (lam  E')/E 

Case:  And  so  is  the  third  case:  The  domain  of  4/3  is  4>,  and  4d^  is  its  co-domain,  fa  = 
Ti/T,  (app  Ei  E2)/E 

The  difference  between  binding  and  none-binding  occurrences  of  variable  blocks  in  a  context 
is  illustrated  by  the  proof  of  the  diamond  Lemma  4.6.  We  put  special  emphasis  on  the  first  case: 
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Example  5.16  (Generalized  substitution  and  the  diamond  Lemma  4.6:) 

This  example  extends  Lemma  5.13 

Case:  \f,,1  =  T  :  tp,  (x  :  term  T,u:x  x)L,  Er  :  term  T,Dr  :  x  Er\ 

The  first  case  translates  into  the  generalized  substitution 

if>i  =  T/T,x/E,x/El,u/Dl,Dr/Dr 

The  variable  block  (x  :  term  T,u:x  x)L  is  a  binding  occurrence  because,  informally, 
when  the  case  is  executed,  the  instantiation  of  E ,  El,  and  Dl  determine  the  parameter 
block  in  the  context.  In  the  original  proof  of  the  diamond  Lemma  3.7,  we  discussed  how 
to  assume  the  existence  of  a  second  parameter  block  in  order  to  distinguish  cases  over 
Dr,  Because  of  typing  constraints,  the  two  variable  blocks  are  constrained  to  be  identical 
because  as  the  left  reduction,  the  right  reduction  starts  in  x.  In  our  system  there  are  two 
options  to  express  the  second  case  analysis: 

1.  Define  a  second  case  analysis  which  is  defined  inside  the  scope  of  the  first,  with  a  new 
domain  and  a  substitution  ^ 

=  T  :  tp,  (y  :  term  T,  v  :  y  =>  y)L 

ip[  =  T/T,  (y  :  term  T,  v  :  y  y)/(x  :  term  T,u:  x  x),y/Er,y/Dr 

The  variable  block  (y  :  term  T,v  :  y  ==>  y)L  is  a  non-binding  occurrence  of  a 
variable  block.  It  is  merely  a  renaming  of  x  and  u  to  y  and  v. 

2.  Modify  the  generalized  context  and  the  generalized  substitution  xp'{  to  also  ac¬ 
commodate  the  second  case  analysis. 

—  T  :  tp,  (x  :  term  T,u:x  =^=>  x)L 
<  =  T/T,  x/El ,  x/Er ,  u/Dl ,  u/Dr 

and  again  is  {x  :  term  T,u  :  x  x)L  a  binding  occurrence  of  a  variable  block. 

It  is  possible  to  use  either  of  these  two  representations,  and  the  attentive  reader  might 
have  noticed  that  xj)f{  is  nothing  else  but  a  composition  of  i  and  ^ . 

Case:  ^'2  —  T  :  tp,Ti  :  tp, E\  :  term  T\  — »  term  T^E<i  :  term  Ti, E[  :  term  T\  — > 

term  T,El2  term  T\,Er  :  term  T,  D[  :  Tlx  :  term  T\ .  x  x  — >  Ei  x  E[  x,D12  : 

E2  =4  El2,Dr  :  (app  (lam  Ei)  E2)  =U  Er : 

The  substitution  which  expresses  the  relationship  between  \P  and  ^'2  results  from  a 
straightforward  instantiation  of  assumption  in  T: 

V>2  =  T/T,  (app  (lam  E1)  E2)/E,  (E1  E2)/El ,Er /Er ,  (pbeta  D\  Dl2) / Dl ,  Dr / Dr 

Case:  =  T  :  tp ,T'  :  tp,  E  :  term  T  -4  term  T',El  :  term  T  — >  term  T',Er  : 

term  (T  arrow  T'),Dl  :  Hx  :  term  T.x  =^>  x  -4  E  x  =^*  El  x,Dr  :  (lam  E)  Er: 

Analogously,  the  relationship  between  'L  and  is  expressed  by  the  generalized  substitu¬ 
tion  ^3. 

^3  =  (Ti  arrow  T2)/T,  (lam  E)/E,  (lam  El)/El,  ET  jEr ,  (plam  Dl) / Dl ,  Dr / Dr 
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Case:  'I>'1  =  T\  :  tp, T2  :  tp,  E\  :  term  T2  — >  term  TX,E2  :  term  T2,  E[  :  term  T2  ->  term  Ti , E2  : 
term  T2,  Er  :  term  Tj.D'  :  Et  =U  E[,Dl2-.E2  =U  El2.  Dr  :  app  Ex  E2  =U  Er: 

And  finally,  the  relationship  between  T  and  '1' is  expressed  by  the  generalized  substitution 
V>4- 


ti  =  T/T,  (app  Ex  E2)/E,  (app  E[  til), / El ,Er / Er ,  (papp  D[  D'2) / Dl ,  Dr / Dr 

These  two  example  clearly  demonstrate  the  general  idea  behind  the  design  of  the  case  con¬ 
struct.  Each  case  is  expressed  by  a  substitution  and  its  co-domain.  The  domain  of  the  substi¬ 
tution  is  the  context  in  which  the  original  case-expression  is  valid  (it  therefore  stays  invariant 
for  all  the  cases)  ,  and  the  co-domain  of  the  substitution  is  the  context  in  which  the  body  of  a 
case  is  valid. 

The  subject  of  the  case  construct  is  hence  not  simply  one  LF  object,  instead  it  is  a  list  of  LF 
objects  (a  substitution)  that  instantiates  all  variables  declared  in  the  context  simultaneously.  In 
summary,  we  use  the  basic  idea  of  explicit  substitutions  [DHKP96]  to  encode  the  case  subject. 
An  explicit  substitution  is  a  substitution  which  is  turned  into  a  first-class  object  of  the  calculus. 

We  use  such  an  explicit  generalized  substitutions  in  order  to  represent  the  case  subject,  that  is 

'll). 

In  order  to  make  this  presentation  more  uniform,  we  also  use  explicit  meta-substitutions  to 
capture  the  instantiation  of  meta-variables.  These  observations  give  rise  to  a  new  proof  term, 
which  is  defined  in  terms  of  a  list  of  cases. 

Proof  Terns  P  . . .  J  case  S)  of 

Cases  S2  •  |  fi,  (T  i>  xj)  i->  P) 

The  (xJk  <5)  part  of  the  new  proof  term  is  a  pair  of  already  discussed  explicit  substitutions, 
and  is  a  list  of  cases.  Each  case  describes  the  substitution  xj)  in  order  to  recognize  if  a  case 
is  applicable,  its  co-domain  which  describes  all  assumption  and  block  variables  available  to  the 
body  of  the  case,  and  finally  the  body  P  of  the  case  itself. 

Operationally  speaking,  assume  that  at  the  time  of  execution  case  (xj);  5)  of  Q  is  given  and  is 
the  term  is  closed  (it  doesn’t  contain  any  free  variables).  Consequently,  xj)  is  ground  substitution. 
A  case  (T'o^  ^  P)  E  is  applicable,  if  the  system  can  construct  a  closed  substitution  \jP  (the 
new  environment)  with  domain  T'  from  xj)  (the  old  environment),  such  that  xpf  ox/P  =  xf.  If  such 
a  xj)n  exists,  informally,  the  case  is  applicable,  and  the  body  P  of  the  case  can  be  executed  after 
all  variables  from  have  been  replaced  according  to  x//f . 

All  proof  terms  are  now  defined  and  we  can  return  to  the  reflexivity  lemma  4.3,  and  illustrate 
its  proof  term.  Proof  terms  in  their  internal  formulation  are  very  verbose,  difficult  to  parse  and 
painfully  hard  to  interpret.  We  therefore  opt  to  illustrate  the  internal  version  only  once  in 
the  next  example,  and  use  the  more  familiar  notation  of  proof  terms  (from  Chapter  4)  in  the 
remainder  of  this  thesis.  In  addition,  this  notation  is  easily  definable  as  syntactic  sugar. 

Example  5.17  (Proof  of  the  reflexivity  Lemma  4.3)  As  derived  by  syntactic  refinement 
in  Section  4.2.2,  the  proof  of  the  reflexivity  lemma 

□SOME  T  :  tp.  BLOCK  x  :  term  T,xi  :  x  x. 

VT  :  tp.  V£  :  term  T.3D  :  E  =k  E.  T 
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is  a  recursion.  To  the  left  is  the  version  we  have  already  seen,  and  to  the  right  is  the  internal 
representation,  where  we  omit  some  type  and  formula  annotations. 


fun  refl  x  =  u 

|  refl  (lam  ( Xx  :  term  T.  E'  x ))  = 

let 

new  x  :  term  T,u:x  x 
val  P  xu  =  refl  ( E '  x) 
in 

plam  (\x.  \u.P  x  u) 

end 

|  refl  (app  E\  E2)  = 

let 

val  Pi  =  refl  E\ 
val  P2  =  refl  E2 
in 

papp  Pi  P2 

end 


box  (SOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  =^>  x)L. 
p refl.  AT  :  tp.  A E  :  term  T. 
case  (T/T,  E /E]  refl  / refl)  of 

(T  :  tp,  (x  :  term  T,u:x  ==>  x)L  >  T/T, x/E 

*  <«,<»), 

(Ti  :  tp,  T2  :  tp,  E'  :  term  T\  — >  term  T2 

>  (Ti  arrow  T2)/T,  (lam  E')/E 

• — ^  let  v  (x  :  term  T\,u:x  ==£■  x)L. 

xi  =  refl  T2,  x2  =  xx  (E1  x),  (P,x3)  =  x2 
in  (plam  (Xx  :  term  T\.Xu  :  x  =U-  x.P  x  u),  ())), 
(Ti  :  tp,T2  :  tp,  E\  :  term  (T2  arrow  Ti),E2  :  term  T2 

>  Ti/T,  (app  Ex  E2)/E 
1 — }  let 

xi  =  refl  (T2  arrow  Ti),x2  =  xi  Ex.  (Fi,x3)  =  x2, 
yi  =  refl  T2,  y2  =  yi  E2,  (P2,  y3)  =  y2 
in  (papp  Px  P2,  ())) 


Similar  to  LF-level  substitutions  from  Section  5.2,  generalized  and  meta-substitutions  must 
be  well-formed  —  we  establish  this  property  by  two  judgments.  Generalized  substitutions  map 
generalized  contexts  into  generalized  contexts  but  generalized  contexts  themselves  are  already 
a  prerequisite  for  meta-contexts.  Consequently  the  definition  of  meta-substitutions  relies  on 
generalized  substitutions. 

The  first  of  the  two  judgments  is  that  of  well-formed  generalized  substitutions,  b  ^  E 
Clearly,  ^  is  the  domain  of  the  substitution  and  T'  is  its  co-domain. 


Judgment: 

Well-typed  generalized  substitutions  'F'  h  xp  £  ^ 

The  semantics  of  this  judgment  is  defined  by  three  inference  rules.  The  empty  generalized 
substitution  is  well-formed  with  an  empty  domain.  Recall,  that  variable  blocks  are  used  to 
express  the  presence  of  a  parameter  block  in  the  parameter  context.  Consequently,  the  image 
of  a  variable  block  must  be  a  variable  block.  Finally  there  is  the  expected  rule  which  allows  a 
substitution  of  any  well- typed  LF-term  for  an  assumption  variable. 


Rules: 


b  abstract 
T'  b  •  G  • 


sempty 


p'L  €  h  p'  =a  [l/j]p  h  ip  £ 

- sblock 

H>'h(lP,p'/p)£if>,pL 

Generalized  substitution  composition  is  well-defined. 


f'hM:  A[ip)  if!1  Pipe  if! 

- sass 

if!1  h  (ip,  M/x)  £  if!,x  :  A 
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Lemma  5.18  (Composition  of  generalized  substitutions) 

IfVl  ::  $2^i:  $i 
and  T>2  ::  5y3  l"  02  •  ^2 
then  T3  b  0i  o  02  :  'I'i 

Proof:  by  structural  induction  on  Dj .  □ 

Generalized  substitutions  are  a  prerequisite  for  the  definition  of  well-defined  meta- 
substitutions.  As  a  reminder,  a  meta-substitution  replaces  met  a- variables  by  entire  proof  terms, 
as  it  is  for  example  necessary  when  evaluating  the  fixed  point-operator.  Substitutions  on  meta¬ 
variables  are  used  very  often  in  the  remainder  of  this  thesis,  for  example  in  the  substitution 
Lemma  6.20  which  we  prove  in  the  next  chapter.  The  judgment,  expressing  that  a  meta¬ 
substitution  is  well-formed,  is  in  principle  just  an  extension  of  the  previous  judgment. 

Judgment: 


Well- typed  meta-substitutions  \E0  A'  b  0;  S  £  A 

In  the  spirit  of  extending  the  first  judgment,  the  semantics  of  well-typed  meta-substitutions 
is  defined  by  two  inference  rules.  The  first  rule  coerces  a  standard  well-formed  generalized 
substitution  to  be  a  well-formed  meta-substitution  in  the  base  case.  The  other  expresses  when 
non-trivial  meta-substitutions  are  well-formed. 

Rules: 


T'  b  0  £  T  A'  b  P  £  F[0]  T';  A'  b  0;  6  £  T;  A 

- sabstract  - smeta 

T';  A'  b  0;  •  £  •  \U;  A'  |-  0;  ^  p/x  £  T;  A,  x  £  F 

In  order  to  be  perfectly  precise,  a  precondition  for  the  two  judgments  is,  that  all  involved  con¬ 
texts  are  well-formed.  That  means  that  for  the  first  judgment  we  can  assume  that  b  T  abstract 
and  b  T'  abstract,  and  for  the  second,  we  assume  that  $  b  A  meta  and  T'  b  A'  meta. 

Meta-substitutions  can  be  composed  and  we  write  (0;  6)  o  (0';  Sf)  —  (0";  6 ")  for  the  resulting 
substitution.  It  is  defined  in  a  straightforward  way,  where  we  assume  the  that  meta-substitutions 
can  be  applied  to  a  proof  term  P[0;  6]. 

Definition  5.19  (Composition  of  meta-substitutions) 

(V;!  •)  0  S')  =  (i/j  o  ?/>';  •)  (cempty) 

(V->;  6,  P/x)  O  (V/;  5')  =  (i//';6",P[tl>';6'}/x)  (cmeta) 

where  (i/r.  <5)  o  («//;  S')  =  8") 

Meta-substitution  composition  is  well-defined,  too.  Since  its  proof  relies  on  a  substitution 
lemma  for  applying  meta-substitution  to  programs,  we  postpone  the  proof  this  lemma  until 
Section  6.2.4,  Corollary  6.21. 

Lemma  5.20  (Composition  of  meta-substitutions) 
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IfVi  ::  ^2;  A2  h  £  ^1;  Ai 

and  V2  ::  ^3;  A3  h  ip2]  82  G  #2;  A2 

then  ^3;  A3  h  (^1;  81)  o  (^2;  52)  G  ^1;  Ax 

The  special  character  of  a  meta-substitution  to  extend  a  generalized  substitution  is  clearly 
exhibited  by  the  observation  that  the  underlying  generalized  substitution  can  easily  be  extracted 
form  the  meta-substitution. 

Lemma  5,21  If  V  ::  A'  h  'ip;  5  £  A 

then  \~  ip  £  'll. 

Proof:  by  induction  on  V.  □ 

In  many  proofs  below,  we  will  encounter  identity  substitutions ,  i.e.  substitutions  whose  do¬ 
main  and  co-domain  are  equal,  and  every  variable  is  mapped  to  itself.  If  an  identity  substitutions 
acts  on  an  LF  context  F,  we  write  idp.  Likewise  a  generalized  identity  substitution  on  T  is  writ¬ 
ten  as  id#,  and  a  meta  identity  substitutions  on  A  as  kIa-  In  the  remainder  of  this  thesis  we  take 
the  freedom  to  simply  omit  identity  substitutions  from  the  formalism,  if  it  does  not  contribute 
to  the  presentation  of  the  material.  For  example  the  instead  of  idA  we  simply  write  *ip. 

We  continue  this  rather  technical  discussion,  and  present  now  the  final  extension  to 
the  inference  rule  system  of  The  rules  will  capture  the  essence  of  case  analysis 

in  order  to  define  and  formalize  recursive  functions  in  Recall,  from  Example  5.17 

that  there  is  the  case  construct  itself  which  takes  as  argument  a  list  of  cases  ft  which 
must  also  be  well-formed.  Obviously,  fTs  well-formedness  requires  a  judgment  by  itself: 
\I>;  A  I-  ft  G  F,  where  F  is  the  formula,  and  each  case  in  ft  must  be  valid.  Typically,  F 
is  an  existentially  quantified  formula,  such  as  3D  :  E  E.  T  in  the  reflexivity  lemma,  or 
3Ef  :  term  T.  3Pl  :  El  Ef .  3Pr  :  Er  E! .  T  in  the  diamond  lemma. 

Judgment 


Well- formed  case  lists:  f;Ah  ft  £  F 

The  typing  rule  for  case  requires,  that  the  case  subject  is  a  valid  meta-substitution  and  that 
all  cases  are  well-typed. 

Rules 

'F;  A  \-tl>]8£  A'  A'  b  ft  £  F 

- case 

$;Ah  case  (^;  8)  of  ft  G  F[ip\ 

Cases  are  well-formed,  if  each  of  the  substitutions  is  well-formed  with  the  associated  gener¬ 
alized  context  as  its  co-domain.  In  addition,  the  proof  term  associated  with  each  case  must  be 
well- formed  in  the  same  generalized  context.  There  is  a  generalized  substitution  'ip  that  express 
how  a  case  is  being  refined  when  it  is  successfully  applied.  The  well-formedness  proof  can  (and 
in  most  cases  will)  use  the  meta-assumptions  given  in  A,  but  because  case  analysis  might  have 
distinguished  cases  over  other  variables  which  occur  free  in  the  formulas  in  A,  the  refinement 
must  be  reflected,  written  as  [-0]A  in  alt’s  premiss.  Likewise,  'ip  must  be  applied  to  the  formula 
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in  premiss  of  alt  below.  The  precise  definition  of  substitution  application  together  with  the 
associated  properties  are  postponed  until  the  next  Chapter. 


base 


h  i/>  G  S'  O';  A  h  Q  e  F  T':  [^]A  h  P  e  F[ij> ] 
- - - alt 

$;A  h  a(tf;  ^  P)  €  F 

This  almost  completes  the  presentation  of  the  typing  rules  for  case  analysis.  The  only  thing 
missing,  is  that  the  proof  terms  which  are  formalized  in  this  system  are  realizers,  which  means 
that  the  case  rule  must  guarantee  that  all  cases  are  always  covered,  a  property  which  is  also 
referred  to  as  coverage  [Roh96].  Similarly  to  the  side  condition  for  termination  5.1,  we  endow 
the  case  rule  with  a  side  condition  which  enforces  coverage. 

Informally,  the  coverage  condition  guarantees  that  if  the  recursive  function  (the  proof  term) 
is  executed  in  an  environment  possibly  defined  in  a  concrete  parameter  context,  and  all  as¬ 
sumption  and  variable  blocks  in  the  generalized  context  are  instantiated  with  LF  objects  and 
parameter  blocks,  then  the  case  analysis  can  be  successfully  executed,  and  at  least  one  case 
applies.  Consider  the  following  situation.  We  are  presented  with  a  well-typed  term 

lam  (Xx  :  term  nat.  x)  :  term  (nat,  arrow  nat), 

where  we  assume  that  nat  :  tp  is  a  base  type  for  natural  numbers.  The  objective  is  to  construct  a 
term  of  type  “lam  (At  :  term  nat.  x)  =U>  lam  (Xx  :  term  nat.  .7;)”.  This  can  be  easily  established 
by  employing  the  recursive  function  refl,  and  applying  it  to  the  argument  “lam  Xx  :  term  nat.  .7;”. 
Once  the  evaluation  reaches  the  point  of  case  analysis,  there  is  a  case  which  applies:  it  is  the 
second  in  Example  5.17. 

But  in  general  this  is  not  necessarily  the  case.  The  rules  defining  the  well-formedness  of 
cases  do  not  imply  that  a  case  is  guaranteed  to  be  applicable.  Of  course,  this  observation  is 
not  new.  The  same  observation  holds  for  any  functional  programming  language,  as  for  example 
ML  [MTHM97]  or  Haskell  [Tho99,  HudOO]  which  employs  pattern  matching;  in  a  situation  where 
no  case  is  applicable  an  exception  is  raised. 

This  solution  is  unacceptable  for  our  situation.  We  must  enforce  that  all  recursive  functions 
are  realizers,  that  is  evaluation  must  always  make  progress  and  eventually  terminate.  Termina¬ 
tion  is  already  informally  guaranteed  by  side  condition  (5.1).  It  remains  to  guarantee  that  the 
evaluation  of  each  recursive  function  makes  progress  under  all  circumstances. 

In  the  quest  for  coverage,  we  first  examine  what  it  means  for  a  rule  to  be  applicable.  At  the 
interesting  point  in  the  evaluation,  shortly  before  cases  are  analyzed,  there  exists  a  generalized 
substitution,  (or  better  environments  as  they  are  called  in  functional  programming  languages) 
which  has  the  following  form: 

•  h  ((nat,  arrow  nat)/T.  lam  (A.t  :  term  nat.  x )/E)  6  (T  :  tp,  E  :  term  T) 

' - - - V - ' 

v 

Recall  that  the  applicable  case  has  the  form 

(Ti  :  tp,T2  :  tp ,E'  :  term  Tj  -»  term  T2)  t>  ((7j  arrow  T2)/T.  (lam  E')/E)  ^  ... 

V - - , 

y 
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In  detail,  the  rule  is  applicable,  because  the  environment  77  is  decomposable  into  a  new  environ¬ 
ment,  call  it  77',  and  tp.  We  do  not  show  how  to  calculate  this  new  environment  77'  from  77  and 
this  is  left  to  the  next  chapter.  Instead  we  simply  state  the  result: 

*  h  (nat/Ti,  nat/T2,  (Ax  :  term  nat.  x)/Ef)  G  (T  :  tp,  E  :  term  T) 

v - v - ' 

if 

One  can  easily  see,  that  77'  is  the  right  choice  of  environment  since  the  composition  of  'ip  and  r\ 
inevitably  yields  77: 

((Ti  arrow  T2)/T,  (lam  E')/E)  o  (nat/Ti,  nat/T2,  (Ax  :  term  nat ,x)/Ef)  = 

((nat  arrow  nat)/T, lam  (Aar  :  term  nat .x)/E) 

More  formally,  we  say  that  a  list  of  cases  covers  all  cases,  if  any  environment  rj  can  be 
decomposed  into  77'  and  ip  for  some  case  (T'  t>  xp  i-»  P)  G  Cl. 

£1  is  a  complete  case  cover  (5.2) 

This  side  condition  is  associated  with  the  case  rule.  The  general  problem  of  coverage  is  undecid- 
able,  but  in  Section  7.3,  we  will  give  a  formal  but  sufficient  criterion  for  coverage.  It  is  semantic 
in  nature;  there  is  no  feasible  way  to  try  every  instantiation  of  ip  a  priori.  Semantic  conditions 
are  in  general  impossible  to  enforce  directly.  Therefore  we  present  in  Section  7.3  a  syntactic 
criterion  on  f i,  which  —  when  satisfied  —  guarantees  complete  case  coverage.  As  we  will  see, 
the  entire  construction  rests  on  the  shoulders  of  the  canonical  form  Theorem  2.6  for  LF. 

Side  condition  (5.2)  enforces  a  condition  on  the  refinement  substitution  ip  which  are  part  of  a 
case  (\I/'  >  ip  P)  G  Cl.  The  rule  alt  guarantees  that  the  substitution  is  well-typed:  \I>'  h  ip  G  'F. 
The  following  example  shows  that  \F'  should  not  be  unnecessarily  large.  If  it  were,  an  oracle 
would  be  necessary  to  assign  an  operational  semantics  to  our  proof  term  calculus.  Consider  the 
slightly  extended  lam-case  of  the  reflexivity  lemma  (by  adding  Q  :  term  T\  term  T\). 

T\  :  tp,  T2  :  tp,  Er  :  term  T\  — >  term  T2,  Q  :  term  7\  term  T\ 

>  (Ti  arrow  T2)/T,  (lam  Ef)/E  h*  . . . 

After  applying  the  decomposition  rule  to  77  above  using  ip  we  arrive  at  an  extension  of  77'  which 
also  instantiates  Q.  The  value  of  Q  cannot  be  determined  from  77  itself  since  Q  is  not  mentioned 
in  any  of  the  LF-objects  used  in  77.  It  is  hence  entirely  under-constrained,  which  gives  rise  to 
a  possible  non-deterministic  choice:  We  simply  choose  Xx  :  termTi.a:  for  Q  and  complete  the 
decomposition. 

•  h  nat/Ti,  nat/T2,  (Ax  :  term  nat.  x)/E\  (Ax  :  term  T\.x)/Q  G  T  :  tp,  E  :  term  T 

The  strange  behavior  associated  with  allowing  unconstrained  assumptions  in  Vt'  is  even  more 
clearly  illustrated  by  the  following  extension  of  adding  Q  :  term  T2  — >  term  T\ 

T\  :  tp,  T2  :  tp,  Ef  :  term  T\  — y  term  T2,  Q  :  term  T2  -»  term  T\ 

0  (Ti  arrow  T2)/T,  (lam  E!)/E  (->... 

renders  the  case  inapplicable  because  there  is  no  possible  instantiation  for  Q.  Such  non¬ 
determinism  therefore  blurs  the  interpretation  of  proof  terms  as  recursive  functions.  In  general, 
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we  require  that  each  rj  can  be  decomposed  into  a  xj)  and  some  t/.  Moreover,  we  require  that  this 
decomposition  is  unique.  Note,  that  77  and  7/  need  not  to  be  closed;  as  usual  they  might  be  open 
in  some  parameter  context,  expressed  abstractly  by  <F.  All  these  requirements  are  summarized 
by  the  following  side  condition  which  we  associate  with  alt-rule. 

For  all  7/  ($  b  77  £  4/)  there  exists  an  7/  (4>  h  rf  6  4/')  s.t.  77  =  t/;  0  rf  (5-3) 

Similar  to  side  condition  (5.2)  it  is  semantic,  probably  undecidable,  but  we  present  a  sufficient 
syntactic  criteria  in  Section  6.4. 

This  concludes  our  presentation  of  two  new  meta-level  proof  terms  expressing  well-founded 
recursion  and  complete  case  analysis  which  turn  as  we  will  see  in  Chapter  7  the  proof  term 
calculus  of  M2  into  a  calculus  of  total  recursive  functions,  warranting  the  soundness  of  M\. 
We  have  established  three  semantic  side  conditions  for  the  rules  for  which  we  present  precise 
syntactic  criteria  in  the  chapters  to  follow.  We  conclude  this  chapter  with  a  discussion  of  how 
to  add  lemma  application  to  • 


5.7  Lemmas 

Theory  and  proof  development  without  lemmas  is  unthinkable.  Meta-logical  arguments  always 
consist  of  a  sequence  of  lemmas  as  for  example  the  development  of  the  Church-Rosser  theorem 
presented  in  Chapter  4.  Using  an  auxiliary  notion  of  parallel  reduction,  the  proof  of  the  Church- 
Rosser  property  of  ordinary  reduction  is  reduced  to  the  Church-Rosser  property  for  parallel 
reduction  each  of  which  is  derived  by  a  series  of  lemmas.  I11  the  discussion  so  far,  we  have 
presented  all  techniques  necessary  to  formalize  proofs  which  do  not  rely  on  other  lemmas,  the 
basic  building  blocks  of  a  formal  theory  so  to  speak.  We  generalize  this  idea  in  this  section  by 
adding  the  ability  to  apply  other  lemmas  to  our  system.  With  this  technology  at  hand,  we  can 
formalize  all  lemmas  and  theorems  from  Chapter  4. 

The  reader  may  wish  to  skip  this  section  in  the  first  reading.  If  all  lemmas  in  the  development 
of  a  theory  depend  on  one  but  fixed  world  extension  this  section  does  not  contain  any  new  ideas. 
In  such  a  situation  lemmas  can  simply  be  added  as  meta- assumptions  to  A.  If  on  the  other 
hand,  the  lemmas  necessary  for  a  development  require  many  possibly  different  world  extensions , 
the  mechanism  presented  in  this  section  apply. 

This  section  is  structured  as  follows.  First  we  introduce  the  necessary  basic  definitions  of 
lemmas  in  Section  5.7.1.  As  presented  in  Section  4.2.2,  lemmas  and  theorems  also  take  the  shape 
of  the  parameter  context  into  account.  A  criteria  which  expresses  if  one  lemma  can  call  another 
without  violating  the  context  schema  restriction  is  presented  in  Section  5.7.2.  In  Section  5.7.3 
we  finally  present  the  new  proof  rules  extending  the  proof  term  calculus  of  M^ • 

5.7.1  Preliminaries 

Lemmas  are  a  very  valuable  and  an  important  organizing  force  in  the  development  of  theories. 
Typically  theories  are  built  as  hierarchies  of  lemmas.  If  well-chosen,  this  hierarchy  can  support 
the  automated  validation  of  changes  to  the  underlying  definition  of  a  formal  system.  For  example 
in  Section  4.2.3,  when  we  extend  the  simply-typed  A- calculus  by  polymorphism,  all  lemmas  for 
the  Church-Rosser  theorem  are  still  true  (with  a  very  minor  modifications  in  the  definition  of 
context  schemas,  by  adding  a  block  schema  for  type  variables). 
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What  are  lemmas?  Lemmas  are  general  formulas,  i.e.  they  define  a  context  schema  and  a 
formula  whose  proof  possibly  relies  on  meta-hypotheses ,  i.e.  proofs  of  other  lemmas  which  are 
assumed  to  be  true.  For  example  we  can  prove  confluence  Lemma  4.8  under  the  assumption  that 
the  strip  Lemma  4.7  is  true.  Likewise,  the  proof  of  the  strip  lemma  relies  on  the  truth  of  the 
diamond  Lemma  4.6,  which  itself  depends  on  the  truth  of  the  substitution  Lemma  4.5.  It  should 
be  clear,  that  a  general  formula  is  only  proven,  if  all  of  its  meta-hypothesis  are  instantiated  by 
real  proofs.  Formally,  we  first  extend  the  notion  of  general  proof  term  to  allow  met  a- hypothesis. 

General  proof  terms:  Q  ::=  . . .  |  x 

Meta-hypotheses  are  organized  in  form  of  a  lemma  repository  which  is  very  closely  related 
to  the  list  of  meta-assumptions  A  and  the  instantiation  of  meta-hypothesis  is  described  a  sub¬ 
stitution  like  structure,  called  a  lemma  instantiation. 

Lemma  repository:  H  ■  |S,xG(? 

Lemma  instantiation:  £  ::=  •  |  £,  Q/x 

In  addition,  each  judgment  of  the  formal  proof  system  Mlf  is  being  equipped  with  such  a 
lemma  repository.  There  are  three  such  judgments  expressing  the  provability  of  general  formulas, 
formulas,  and  declarations. 

Judgments 


Provability  of  general  formulas:  S  F  Q  €  G 
Provability  of  formulas:  4/;  A;  E  F  P  E  F 

Provability  of  declarations:  $;A;ShPE  4/';  A' 

5  is  not  going  to  change  during  the  proof  of  a  meta-theorem.  It  only  changes  when  meta¬ 
hypothesis  are  instantiated.  Therefore,  a  meta-theorem  G  is  proven  if  its  proof  is  closed,  that  is 
formally,  if  there  exists  a  proof  Q  such  that  •  F  Q  e  G. 

5.7.2  Context  Schema  Subsumption 

One  of  the  main  characteristics  of  a  lemma  is  the  form  of  the  world  extension  for  which  it  is 
defined.  World  extensions  are  described  by  the  context  schema.  The  need  of  context  schemas 
has  been  motivated  and  discussed  in  Section  4.2.2  in  great  detail.  In  particular,  context  schemas 
are  necessary  in  order  to  express  properties  of  deductions  which  are  not  necessarily  closed.  The 
diamond  Lemma  4.6  for  example  contains  the  declaration  of  the  context  schema 

(SOME  T  :  tp.  BLOCK  x  :  term  T,  it  :  x  x)L 

which  serves  as  a  quantifier  over  all  regularly  formed  parameter  contexts  of  the  form: 

{x\  :  term  T\,u\  :  x\  =^=>  x\)L,  . . .  (xn  :  termTn, un  :  Xn  ==>  xn)L 

The  question,  if  the  proof  of  the  diamond  lemma  can  use  to  the  transitivity  Lemma  4.4.  Surely, 
if  the  transitivity  lemma  is  proven  for  the  same  world  extension  as  required  by  the  diamond 
lemma,  the  application  is  sound.  If  it  isn’t  it  may  not  be  sound.  Which  lemmas  can  be  applied 
from  within  a  meta-proof  and  which  can  not  is  determined  by  a  relation  between  the  context 
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schema  of  the  lemma  to  be  proven  to  the  context  schema  of  the  lemma  to  be  applied  which  we 
call  subsumption  relation . 

More  abstractly,  if  a  formula  is  to  be  proven  for  any  parameter  context  E  [S'],  and  one  is 
tempted  to  apply  lemma  US'.F,  then  such  an  appeal  is  admissible  if  $  £  [S"J.  This  is  a  very 
strong  requirement,  and  without  doubt,  it  can  be  relaxed.  We  postpone  the  discussion  on  more 
sophisticated  context  subsumptions  until  Section  9.1.3. 

Definition  5.22  (Context  subsumption)  We  say  that  context  schema  S'  subsumes  context 
schema  S  iff  $  E  [5]  implies  that  E  [S"J. 

Context  subsumption  is  a  semantic  criteria  and  in  this,  it  is  very  similar  to  termination, 
coverage,  and  strictness.  A  very  simple  minded  syntactic  criterion  for  context  will  be  presented 
in  Chapter  6. 

It  is  clear,  that  the  diamond  Lemma  4.6  can  appeal  to  the  substitution  Lemma  4.5,  because 
both  context  schemas  are  the  same,  and  hence  the  subsumption  condition  is  trivially  satisfied. 


5.7.3  Proof  Rules 

The  concepts  of  lemmas  requires  two  additional  proof  rules  for  (Section  5.5),  one  to  type 
meta-hypothesis,  and  the  other  to  express  lemma  application.  The  first  rule  extends  the  provabil¬ 
ity  judgment  on  general  formulas,  and  the  second  the  judgments  of  provability  of  declarations. 
The  complete  and  final  set  of  proof  rules  for  is  presented  in  Appendix  A. 

So  far,  a  general  formula  is  considered  proved  if  its  body  is  provable  from  no  other  assump¬ 
tions.  Since  we  have  extended  the  meta-logic  by  meta-hypothesis,  we  must,  add  one  more  rule. 
Each  meta-hypothesis  is  a  proof. 

x  E  G  E  s 
- mhyp 

EhxEG 

Next  to  the  new  left  rule.  So  far,  the  only  two  application  rules  where  LV  and  LV,  which  pick 
a  meta-assumption  from  A,  and  apply  them  to  either  an  LF-term  or  a  block-variable  to  the 
meta-assumption,  respectively.  Likewise,  if  Q  is  a  general  proof  term,  it  can  be  considered  for 
application.  Recall  that  the  judgment  for  the  provability  of  formulas  is  indexed  by  a  context 
schema  S  and  a  signature  £*. 

Eh  Qe  US'.  F  A,  y  E  F;  S  h  D  E  3'';  A' 

A;  E  h  y  E  F  =  lemma  Q,De  y  E  F,  A' 

Of  course,  as  side  condition,  we  must  require  that  the  context  schema  of  the  callee  S'  subsumes 
the  context  schema  S  of  the  caller. 

S'  subsumes  S  (5.4) 

The  Church- Rosser  theorem  is  provable  under  the  meta-hypothesis,  that  the  confluence  prop¬ 
erty  holds;  there  is  a  proof  term  Qcr,  which  one  obtains  by  desugaring  the  proof  term  in  Fig¬ 
ure  4.7, 
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conf  €  DSOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  =4-  x. 

VT  :  tp.  VE  :  term  T.  VE'  :  term  T.  VEr  :  term  T. 

\/Dl  :E  =>  El.\/Dr  :  E  =^>  Er . 

3 E' :  term  T.  3Rl :  El  E1. 3 Rr  :  ET  =^>  E'.  T 

h  Qcr  e  DSOME  T  :  tp.  BLOCK  x  :  term  T,u:x  =U  x. 

VT  :  tp.  ME1  :  term  T.  VEr  :  term  T. 

VE  :  E'  ^  Er . 

3 E' :  term  T.  BE'  :  El  ^=>  E'.  3 Rr  :  Er  =^>  E'.  T 


Similarly,  the  confluence  lemma  is  provable  under  the  meta-hypothesis  that  there  is  a  proof 
of  the  strip  lemma:  Qconf  is  the  desugared  version  of  the  proof  term  in  Figure  4.6. 

strip  €  mSOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  x. 

VT  :  tp.  VE  :  term  T.  VE'  :  term  T.  VEr  :  term  T. 

VE'  :  E  =4  E'.VEr  :  E  =?»  Er. 

BE'  :  term  T.  BE'  :  E'  E'.  3Er  :  Er  =4  E'.  T 

h  <3COnf  ^  LlSOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  =^>  x. 

VT  :  tp.  VE  :  term  T.  VE'  :  term  T.  VEr  :  term  T. 

VE' :  E  =^>  E'.VEr:E  Er. 

BE' :  term  T.  BE'  :  El  E'.  3Er  :  Er  E'.  T 


The  strip  Lemma  3.8  is  based  on  the  diamond  Lemma  4.6,  and  its  proof  term  Qsir\p  is  the 
desugared  version  of  the  proof  term  in  Figure  4.5. 

dia  E  DSOME  T  :  tp.  BLOCK  x  :  term  T,u:  x  x . 

VT  :  tp.  ME  :  term  T.  :  term  T.  VTr  :  term  T. 

VE'  :  E  E'.VEr  :  E  =^>  Er. 

BE'  :  term  T.  BE'  :  E'  =^>  E'.  3Er  :  Er  =4  E' .  T 

h  Qstrip  ^  DSOME  T  :  tp.  BLOCK  x  :  term  T,u  :  x  =►  x. 

VT  :  tp.  VE  :  term  T.  VE'  :  term  T.  VEr  :  term  T. 

VE'  :  E  =4  E'.VEr  :  E  =^>  EL 

BE'  :  term  T.  BE'  :  E'  E' .  3 Rr  :  Er  =4  E'.  T 


On  the  other  hand  the  diamond  Lemma  4.6  is  provable  using  the  substitution  as  meta¬ 
hypothesis.  The  proof  term  Q^}a  is  the  desugared  version  of  the  proof  term  given  in  Figure4.4. 
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.  subst  €  DSOME  T  :  tp.  BLOCK  .7:  :  term  T,u  :  x  =4  x. 

MT\  :  tp.  MT2  :  tp.  VE]  :  term  T2  — >  term  T\ .  ME[  :  term  T2  — >  term  Ti . 

VE2  :  term  T2.ME!2  :  term  T2. 

VL>i  :  (Fly  :  term  T2.J/  =4  y  — >  15]  y  =4  Ej  y).MD2  :  E2  =4  E^. 

3 P  :  E\  E2  =4  E[  E'2.  T 

F  E  DSOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  =4  x. 

VT  :  tp.  ME  :  term  T.  ME1 :  term  T.  MEr  :  term  T. 

MDl  :E  =4  El.MDr  :  E  =^=>  Er. 

3E'  :  term  T.  3R.1  :  El  =4  E'.3Rr:Er  =4  E'.T 

Finally,  the  substitution  lemma  is  directly  provable.  The  proof  is  formalized  by  the  proof 
term  Qsubst-  ^ie  desugared  version  of  the  proof  term  given  in  Figure  4.3 

•  h  Qsubst  €  DSOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  =4 

VTi  :  tp.  VT2  :  tp.  VE]  :  term  Ti  — >  term  T\ .  \/E[  :  term  T 2  —>  term  T\ . 

VE‘2  :  term  TV  VE!2  :  term  T2. 

VDi  :  (Uy  :  term  T2.?y  =>  ?y  — »  E\  y  =U  E\  ?y).VZ>2  :  £2  =>  E'2. 

3 P  :E1  E2  =4  EJ  E!2.  t 

How  caii  we  obtain  a  closed  proof  the  Church-Rosser  theorem?  By  using  lemma  instantia¬ 
tions.  Lemma  instantiations  act  as  substitutions  on  the  meta-level.  Entire  proofs  are  substituted 
into  proof  terms,  hereby  gradually  instantiating  meta-assumptions.  Naturally,  lemma  instanti¬ 
ations  must  be  well- formed. 

Judgment 


Well-formed,  lemma  instantiations:  S'  h  Q  €  S 

Intuitively,  a  lemma  instantiation  is  well-formed,  if  it  is  either  empty,  or  if  the  general  programs 
Q  are  really  proofs  of  the  formulas  the  claim  to  be  proofs  of. 

b  Q  <E  G  S'  b  £  e  S 

- sabstract  - smeta 

S'  b  •  €  •  S'  b  £,  Q/x 

Similar  to  substitution  we  write  Q[£]  in  order  to  apply  a  lemma  instantiation  £  to  a  general 
proof  term  Q.  Lemma  instantiations  can  be  composed  the  same  way,  substitutions  can. 

Definition  5.23  (Composition  of  lemma  instantiations) 

• 0  6  =  6 

(4Q4)°6  =  (£1  °&),Q[&]/* 

Provided,  that  there  is  a  substitution  lemma  for  lemma  instantiations  (which  we  prove  in  Chap¬ 
ter  6),  we  can  prove  the  validity  of  lemma  instantiation  composition. 
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Lemma  5.24  (Composition  of  lemma  instantiations) 

If  Vi  ::  5,1-6  :3i 

and  T>2  "  H3  h  6  :  “2 
then  H3  P  6  0  6  :  “l 

As  example,  consider  the  a  combined  proof  of  the  Church-Rosser  theorem  for  parallel  reduction, 

•  P  Qcr[QConff(3strip[(5dia[^subst/subst]/dia]/striP]/conf] 

6  DSOME  T  :  tp.  BLOCK  x  :  term  T,  u  :  x  ==$■  x. 

VT  :  tp.  VEl  :  term  T.  \/Er  :  term  T. 

MD:El  «=»  Er . 

3£?'  :  term  T.  3RZ  :  El  ^  E! .  3Rr  :  £r  E'.  T 

By  easy  inspection,  if  follows  that  all  involved  lemma  instantiations  are  well-formed,  and  by 
the  meta-theory  which  we  start  to  describe  in  the  next  Chapter  that  this  proof  term  indeed 
formalizes  the  proof  of  the  Church-Rosser  theorem. 


5.8  Summary 

In  this  Section  we  have  described  the  meta- logic  and  an  appropriate  proof  term  calculus 
which  formalizes  meta-proofs  as  recursive  functions.  Among  the  many  rules,  there  are  four  rules, 
which  have  side  conditions  in  order  to  guarantee  that  the  proof  term  calculus  is  indeed  a  calculus 
of  realizers.  There  is  a  termination  side  condition  (5.1),  which  enforces  that  any  evaluation  of  a 
recursive  function  eventually  terminates,  the  coverage  side  condition  (5.2),  which  ensures  that 
all  cases  are  always  covered,  the  strictness  side  condition  (5.3),  which  enforces  determinacy, 
and  eventually  the  subsumption  side  condition  (5.4),  which  guarantees  soundness  of  lemma 
application.  A  summary  of  all  rules  can  be  found  in  Appendix  A. 

The  meta-logic  is  general  enough  to  represent  any  of  the  proof  terms  from  Chapter  3  and 
Chapter  4,  such  as  the  entire  development  of  the  Church-Rosser  proof  of  ordinary  reduction. 
It  is  powerful  enough  to  represent  the  theory  of  cut-elimination,  meta-theoretic  properties  of 
programming  languages,  especially  functional  and  logic  programming  languages,  compiler  cor¬ 
rectness,  and  examples  from  category  theory.  Not  only  are  all  theorems  representable  in  the 
meta-logic,  but  they  are  also  automatically  derivable,  as  we  will  discuss  in  Chapter  8.  A  more 
detailed  account  on  which  theorems  have  been  proven  automatically  will  be  given  in  Section  8.5. 

A i~2  has  several  limitations.  The  first  limitation  stems  from  the  observation  that  the  rep¬ 
resentation  power  of  the  meta- logic  is  directly  connected  to  the  representation  power  of  the 
underlying  logical  framework.  Reasoning  about  imperative  programming  languages  is  not  very 
well  supported  by  the  logical  framework  LF  due  to  the  lack  of  an  elegant  encoding  of  state.  First 
promising  results  have  been  achieved  with  an  extension  of  LF  to  a  linear  logical  framework  LLF 
[CP96],  which  treats  memory  cells  as  resources.  Resources  disappear  whenever  accessed.  It  is 
during  the  reassumption  phase,  that  the  value  of  a  resource  can  be  changed,  which  makes  the 
linear  logical  framework  a  prime  candidate  for  modeling  imperative  languages.  A  generalization 
of  M-2  to  a  meta-logic  for  a  linear  logical  framework  such  as  LLF  has  not  been  carried  out  yet, 
but  it  will  be  discussed  briefly  in  Section  9.1.2. 

A  second  limitation  of  the  meta- logic  is  that  it  currently  cannot  represent  any  meta- 
logical  arguments  which  require  a  proof  by  logical  relations  (also  Tait’s  method).  When  applying 
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this  method,  one  normally  defines  semantically  a  relation  P,  and  in  order  to  show  that  a  judg¬ 
ment  J  can  be  transformed  into  a  judgment  J',  we  show  that  each  derivation  of  J  satisfies  P  and 
furthermore  that  each  derivation  satisfying  P  can  be  transformed  into  a  derivation  satisfying 
J;.  This  technique  is  used  for  example  in  the  canonical  form  theorem  for  the  simply-typed  A- 
calculus.  M2  lacks  mechanisms  such  as  for  example  quantification  over  substitutions  to  express 
commonly  used  logical  relations  P. 

A  third  limitation  is  that  is  restricted  to  IU-formulas,  and  that  it  offers  only  a  limited 
number  of  logical  connectives.  Many  theorems  have  natural  formulations,  which  fall  outside  this 
fragment,  prompting  the  user  for  auxiliary  constructions. 

This  concludes  the  presentation  of  the  meta-logic  ,  and  we  continue  with  the  presentation 
of  a  type-preserving  operational  semantics,  which  we  use  to  show  that  all  proof  terms  are  total 
functions. 
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6.1  Introduction 

The  proof  term  calculus  M%  is  designed  with  the  idea  in  mind  that  all  proof  terms  correspond  to 
total  recursive  functions  called  realizers,  summarizing  derivations  and  witnessing  the  soundness 
of  the  meta-logic  M 2".  The  soundness  proof  itself  is  long  and  introduces  many  definitions,  a 
sophisticated  matching  algorithm,  a  big-step  and  a  small-step  semantics.  Therefore  we  have 
decided  to  break  it  up  into  two  chapters.  This  is  the  first  chapter,  and  its  goal  is  to  demonstrate 
how  proof  terms  are  interpreted  as  recursive  functions  and  how  they  can  be  executed.  In  future 
work  we  will  investigate  independent  applications  of  ATj  as  a  programming  language.  In  the 
next  chapter  we  show  that  all  functions  in  M 2  are  realizers  when  satisfying  the  termination 
side  condition  (5.1),  and  the  coverage  side  condition  (5.2).  The  reader  who  is  more  interested 
in  the  practical  applications  and  results  is  invited  to  skip  these  two  chapters  and  to  continue 
reading  Chapter  8  which  discusses  an  implementation  of  M %  as  part  of  the  Twelf  system. 

This  Chapter  is  organized  as  follows:  In  Section  6.2,  we  directly  begin  with  the  technical 
discussion;  we  formally  introduce  substitutions,  abstractions,  subordination,  and  other  neces¬ 
sary  concepts,  and  we  derive  basic  properties  such  as  weakening  and  substitution  lemmas.  In 
Section  6.3  then,  we  present  a  syntactic  criterion  for  context  schema  subsumption  necessary  for 
sound  lemma  invocations.  The  matching  algorithm  for  case  constructs  is  defined  in  Section  6.4 
as  part  of  the  big-step  semantics  which  is  described  in  Section  6.5.  Finally,  we  conclude  this 
chapter  with  a  summary  in  Section  6.6. 


6.2  Preliminaries 

Proof  terms  are  recursive  functions  and  they  operate  on  LF  objects.  Because  of  the  different 
variable  concepts  used  to  define  M. 2,  there  are  many  different  notions  of  substitutions  and 
substitution  applications  to  be  considered.  Generalized  substitutions  for  example  enjoy  the  same 
properties  LF  substitutions  introduced  in  Section  5.2  enjoy;  assumptions  variables  correspond 
directly  to  LF  variables,  and  variable  blocks  are  mapped  to  lists  of  LF  variables.  The  main 
difference  to  LF  substitutions  is  that  generalized  substitutions  carry  additional  information 
about  the  boundaries  of  variable  blocks. 

This  section  is  organized  as  follows:  We  first  discuss  basic  properties  of  standard  LF  substi¬ 
tutions  in  Section  6.2.1  and  issues  related  to  hypothetical  arguments  in  Section  6.2.2.  We  then 
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derive  a  set  of  weakening  lemmas,  for  formulas,  proof  terms,  generalized,  and  meta-contexts  in 
Section  6.2.3  which  are  required  for  the  upcoming  technical  discussions.  Likewise  we  prove  a 
variety  of  substitution  lemmas  for  formulas  and  proof  terms  in  Section  6.2.4. 

6.2.1  LF 

The  construction  of  Mlf  relies  on  the  fundamental  property  of  LF  that  canonical  forms  exist,  as 
shown  in  Theorem  2.6.  But  there  are  also  other  properties,  which  are  equally  important  for  the 
sake  of  the  formal  development.  The  first,  property  is  the  weakening  property.  An  object  M  (type 
family  A)  remains  well-typed  (well-kinded)  under  any  extension  of  the  context  F.  Formally,  we 
write  r  <  r  if  I  7  results  from  interspersing  I  with  arbitrary  (but  always  well-typed)  variable 
declarations.  Note,  that  we  implicitly  assume  that  F  T  ctx  and  P  T'  ctx  holds. 

Lemma  6.1  (Weakening  for  LF) 

1.  If  T  \~  M  :  A 
and  r  <  T' 
then  R  F  M  :  A 

2.  If  T  \-  A  :  K 

and  F  <  T' 
then  r  P  A:  K 


Proof:  by  induction  on  the  typing  derivations. 


□ 


Similarly,  there  is  a  substitution  lemma,  which  expresses  that  the  typing  relation  is  stable  under 
substitution  application.  The  definition  of  substitution  application  to  LF  objects,  LF  types,  and 
LF  kinds  is  omitted  from  this  thesis. 

Lemma  6.2  (Substitution  property  of  LF) 

1.  If  T  M  :  A 
and  T'  F  a  :  T 

then  rr  F  M[a]  :  A[o\ 

2.  If  T  A  :  K 
and  F'  F  a  :  T 

then  r  F  A[a)  :  K[a) 

Proof:  by  induction  on  the  typing  derivations.  □ 


This  concludes  the  presentation  of  all  properties  of  the  logical  framework  LF  necessary  to  carry 
out  the  formal  analysis  of  M£- 
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6.2.2  Abstraction 

Abstraction  is  an  operation  which  is  used  for  example  in  the  definition  of  the  Lnew-rule  in 
Section  5.4.4. 

(SOME  C\.  BLOCK  C2)L  6  5  H  a  :  Cx  <[>  h  p  =a  [a]C2  Ah$';A' 

- - - Lnew 

$;Ah  UpL.  (4/';  Af) 

Abstraction  formalizes  how  results  of  applying  the  induction  hypothesis  are  interpreted  after 
an  extension  of  the  world  is  discharged.  Hypothetical  arguments  typically  first  introduce  new 
assumptions,  then  apply  induction  hypotheses  or  possibly  lemmas,  and  eventually  discharge  the 
new  assumptions.  It  is  the  goal  of  this  subsection  to  give  a  formal  account  on  how  to  interpret, 
for  example,  the  result  of  the  induction  hypothesis  after  the  last  step. 

Recall  the  walk  through  the  proof  of  the  reflexivity  Lemma  4.3  in  Section  5.4.4.  In  order  to 
prove  the  case  for  “lam”  we  had  to  introduce  new  assumptions.  More  precisely,  we  introduced  a 
new  parameter  block  in  form  of  a  variable  block  ( x  :  term  T,  u  :  x  x)L .  After  a  few  further 
reasoning  steps,  we  demonstrated  the  existence  of  an  LF  object  P  :  ( E '  x )  =^>  ( Ef  x),  and 
three  meta-assumptions,  represented  as  the  meta-assumption  list  A'(2)  on  page  117. 

^/(2)  =  p  .  (£/  gj)  (£/  x) 

A'W  =  x0  G  VE  :  term  T.3D  :  E  =U  E.  T, 

Xi  G  3D  :  {E'  x)  =U  {E'  x).  T, 
x2  G  T 

Let  us  first  concentrate  only  on  What  does  it  mean  to  reason  hypothetically?  It 

simply  means,  that  P  is  the  representation  image  of  a  derivation  V,  which  possibly  uses  two 
assumptions  x  and  u  represented  as  rx~]  =  x  and  ru~i  =  u  as  already  shown  in  Equation  (4.1), 
keeping  in  mind  that  (x  :  term  T,u:x  x)L  is  assumed. 

r  “i 


V 

ef  =^>  e!  =  Ux  :  term  rr{1.  IIw  :  x  x.  ( Ef  x)  (Ef  x) 

By  abstraction  we  refer  to  the  process  that  calculates  the  right  hand  side  of  this  equation 
from  the  variable  block  ( x  :  term  T,u  :  x  x)L  and  the  type  of  the  new  assumption 

[E!  x)  (Ef  x):  We  write  P  :  II(^  :  term  T,  u  :  x  x).(Ef  x)  (Ef  x)  for  this 

operation.  Here  is  a  preliminary  definition  of  the  abstraction  operation  np.  A,  the  same  we  have 
already  presented  earlier. 


n-.  A2  =  A2 

U{x:Aup).A2  =  Ux:A1.(Up.A2) 

Note,  that  while  the  abstraction  algorithm  executes,  the  hypothesis  x  and  u  are  transformed  into 
LF  variables  x  and  u.  Thus,  abstraction  simultaneously  and  implicitly  removes  the  “underlines” 
from  variable  names.  This  operation  is  rather  conservative.  On  the  one  hand,  it  safe  because 
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no  variable  cannot  escape  its  scope.  On  the  other  hand,  it  is  conservative,  because  it  is  possible 
that  x  can  never  occur  in  Up.  A2;  as  for  example  110  term  x  can  ever  occur  in  the  definition 
of  a  type  “tp”.  This  is  impossible  as  an  easy  inspection  of  the  signature  in  Figure  2.2  shows. 
Abstracting  over  x  in  this  situation  certainly  does  not  lead  to  an  unsoundness,  but  it  may  lead 
to  an  incompleteness,  as  we  can  easily  demonstrate  using  the  proof  of  Lemma  4.12.  Thus, 
abstraction  should  be  able  to  strengthen  the  variable  block  that  is  abstracted  by  removing  all 
declarations  that  cannot  occur  in  the  type. 

In  the  example  the  hypothetical  argument  introduces  two  related  parameters:  x  is  an  atomic 
term  and  y  is  a  term  of  the  same  type.  Therefore,  the  regular  world  extension  consists  of 
parameter  blocks  of  the  following  form:  (x  :  atm  T] ,  y  :  term  T\)L .  I11  the  proof  of  Lemma  4.12 
the  induction  hypothesis  is  applied  in  an  extension  of  the  current  world  with  the  result  that 
there  exists  a  term  of  type  T2.  TVs  existence  is  hypothetical,  therefore  we  use  the  abstraction 
algorithm  to  abstract,  x  and  y.  However,  using  the  algorithm  in  its  current  form,  the  result  is 
an  object  of  type  “atm  T\  — >  term  T\  — >  term  T2\  even  though  x  is  a  semantically  meaningless 
abstraction.  Consequently,  we  will  refine  the  abstraction  algorithm  to  ignore  any  semantically 
meaningless  assumption.  Only  if  abstraction  ignores  the  ux  :  atm  Ti”  hypothesis,  the  proof  can 
be  easily  completed  as  we  have  already  informally  argued  at  the  end  of  Section  4.2.3. 

The  static  analysis  of  the  signature  which  summarizes  which  objects  of  which  type  can  occur 
as  subobjects  in  objects  of  some  other  type  is  satisfactorily  summarized  by  the  dependency 
relation,  or  subordination  relation  [Roh96,  Vir99].  Virga  has  shown  that  if  a  type  A[  is  not 
subordinate  to  type  A2,  then  it  is  impossible,  that  any  object  of  type  A\  occurs  as  a  subobject 
in  any  object  of  type  A2.  As  a  matter  of  fact,  we  can  partition  type  families  into  equivalence 
classes  modulo  subordination  and  define  a  partial  order  on  those  classes  based  on  subordination. 
For  our  purposes,  we  completely  adopt  the  definition  and  notation  of  the  subordination  relation 
from  Virga  [Vir99],  Chapter  5,  and  we  write  A\  A2  iff  A\  -<£  A2  or  A\  A 2.  Indeed  by 

Corollary  5.2.2  in  [Vir99]  we  learn  that  if  A\  A2  then  no  variable  x  :  A\  can  occur  freely  in 
any  object  of  type  A 2.  Translated  into  our  setting  we  obtain  the  following  lemma. 

Lemma  6.3  (Subordination) 

A  V  A 1  A2 

and  Y\,x  :  A\,Y2\~  M  :  A 
then  Ti,  Y2  b  M  :  A 

2.  IfA1fcA2 

and  Y\ ,x  :  A\,Y2\~  A  :  K 
then  r  1 ,  T2  F  A  :  K 

Proof:  see  [Vir99],  Corollary  5.2.2.  □ 

This  lemma  only  holds  for  objects  which  are  valid  in  regular  world  extensions  that  conform  with 
the  subordination  relation.  In  our  situation  it  is  hence  important,  that  the  signature  and  the 
context  schema  bound  by  any  general  formula  do  not  invalidate  the  subordination  relation.  All 
one  has  to  do  is  to  check  all  dependencies  introduced  by  the  LF-types  of  the  BLOCK-component 
of  a  block  schema.  More  precisely,  we  write  for  the  subordination  relation  induced  by  a 
context  schema  S.  In  order  to  guarantee  soundness  of  we  must  attach  a  side  condition  to 
the  rule  generalR. 
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•  Hs)  C  He)  (6.1) 

Without  loss  of  generality,  we  can  assume  that  this  side  condition  is  always  satisfied  for  the 
set  of  meta-theorems  and  proofs,  we  are  interested  in,  and  hence  we  drop  the  subscript  and  write 
only  -*<  instead  of  -<£•  Inspired  by  Lemma  6.3,  we  refine  the  abstraction  operation  from  above 
by  defining  it  for  arbitrary  LF  (sub-)contexts.  The  reader  should  keep  in  mind,  that  abstraction 
is  an  LF-level  operation  which  expects  an  LF  type  as  argument  and  computes  a  new  abstracted 
LF-type.  Likewise  we  define  an  abstraction  operation  for  objects  by  building  A-closures  in  a 
very  similar  way. 

Definition  6.4  (Abstraction) 


1.  Type-level  abstraction: 


u-.a2 

=  a2 

n(x  :  AuT).A2 

=  uf.a2 

if  Ai  -fi  A2 

U(x:AuT).A2 

=  Ux  :  A!.(nr.A2) 

if  Ai  -<  A2 

2.  Object-level  abstraction:  Let  M  be  well-typed  of  type  A2 

A-.M 

=  M 

X(x  :  AUT).M 

=  a r.Af 

if  Ai  fi  A2 

X(x  :  Ai,T).M 

=  Xx  :  A\.  (AT.  M) 

if  A\  -<  A2 

It  remains  to  show  that  the  abstraction  algorithm  is  well-defined.  But  this  is  an  easy  consequence 
from  Virga’s  results.  The  statement  of  the  theorem  relies  on 

Lemma  6.5  (Single  assumption  abstraction) 

1.  For  all  contexts  Ti 
</ri,r2  F  A  :  type 
then  Ti  h  IKY  A  :  type 

2.  For  all  contexts  Fi 

i/r1?r2l-M:  A 

then  Ti  h  AT2.  M  :  nr2.  A 

Proof:  by  induction  over  r2  (in  part  1)  and  T2  (in  part  2),  using  Lemma  6.3.  A  detailed  proof 
can  be  found  in  Appendix  B.1.1.  □ 

LF-level  abstraction  ignores  semantically  meaningless  parameter  declarations,  which  can 
provably  never  occur  in  the  subject  of  abstraction.  Meta-level  assumptions  on  the  other  hand 
are  treated  differently.  In  the  example  above  recall  that  the  assumptions  in  A'(2)  are  also  being 
abstracted  over  the  same  block  variable.  But  on  the  meta-level,  at  least  in  this  thesis,  we 
respect  parameter  block  boundaries  and  do  not  omit  any  semantically  meaningless  parameter 
declarations.  Thus,  abstraction  translates  directly  into  the  application  of  the  inference  rule  RIL 
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In  this  subsection  so  far  we  have  described  how  to  execute  abstraction  for  single  LF- 
assumptions  and  for  single  meta-assumptions.  In  the  remainder  of  this  subsection  we  gener¬ 
alize  abstraction  to  extensions  4/';  A'  as  used  in  the  Lnew-rule.  As  example  consider  again  the 
reflexivity  lemma  for  parallel  reduction  from  above.  In  this  special  case  we  can  simply  iterate 
through  4/'(2);  A'(2)  and  repeatedly  apply  the  abstraction  operation  which  eventually  results  in 
ij)'(i);  A't1).  The  reader  should  be  warned,  the  general  case  is  more  complicated. 

^/(l)  =  p  :  n;j;  :  term  T.Uu:  x  =U  x.{E' x)  (E1  x) 

A'(’)  =  x0  €  II(j;  :  term  T,«  :  x  =U  x)L.VE  :  term  T.  3D  :  E  =U  E.  T, 

X]  e  Il(x  :  term  T,u:x  =4>  x)L.  3  D  :  (E1  x)  ( E "  x).  T, 

^2  6  Tl(x  :  term  T,u:x  x)L.  T 

Formally,  we  write  Up1'.  (4/'(2);  A^2))  =  \Hl);  A^1)  for  this  abstraction  operation.  Clearly, 
the  abstraction  of  an  assumption  variable  implicitly  changes  its  type,  and  this  change  must  be 
reflected  at  the  locations  the  variable  in  a  type.  In  the  example  above,  the  only  new  declaration 
in  T  is  P,  and  by  the  formulation  of  the  theorem,  P  does  not  occur  in  any  other  type  as  index 
variable.  Thus  this  example  is  only  a  special  case. 

We  encounter  the  general  case  in  the  proof  of  the  diamond  Lemma  4.6.  In  the  pbeta/pbeta- 
case  for  example,  we  assume  the  existence  of  a  parameter  block  (which  happens  to  have  the 

same  form  as  above:  x  :  term  T,u:x  =>  x).  Here  is  a  snapshot  of  the  additional  assumptions 
immediately  before  the  abstraction  operation  is  about  to  take  place.  For  brevity,  we  only  present 
the  extension  to  the  abstract  context. 

g/'(2)  =  E1  :  term  T2,  Rl  :  (E1  x)  =U  E1,  Rr  :  {Er  x)  =U  E1 
=  ... 

Abstraction  considers  the  declaration  of  Ef  first.  Because  of  the  subordination  relation,  u  is 
guaranteed  not  to  occur  as  a  subterm  of  El .  Using  the  abstraction  operation  from  Definition  6.4 
we  obtain  as  new  type  for  E1:  “term  T  — >  term  TV’.  It  should  be  clear,  that  all  occurrences  of 
j E'  must  be  replaced  by  the  abstracted  version  of  El ,  namely  E1  x. 

Next  B!  is  abstracted,  and  a  quick  inspection  of  the  subordination  relation  reveals  that  it 
may  depend  on  x  and  u.  Consequently,  Rh s  new  type  is  Hx  :  term  T.  II u  :  x  x.  (El  x) 

(Ef  x)  and  any  occurrences  of  Rl  would  have  to  be  replaced  by  R*  x  u,  but  there  aren’t  any. 
Similarly,  i?r’s  abstracted  type  is  Ux  :  term  T.  n?/  :  x  x.  ( Er  x)  ( Er  j:). 

In  summary,  after  abstraction  we  must  obtain  a  new  abstract  context  extension,  for  which 
we  write 

T't1)  =  Ef  :  term  T  term  T2, 

Rl  :  ILr  :  term  T.  n?/,  :  x  ==>  x .  ( El  x)  ( Ef  x ), 

Rr  :  Ux  :  term  T.Uu  :  x  =4  .t.  ( Er  x)  -4  {E*  x) 

A'(])  -  ... 

and  naturally,  A^1^  follows  from  A^2)  by  replacing  all  occurrences  of  Ef  by  ( Er  x ),  followed  by 
the  standard  abstraction  step  for  formula  as  described  in  Section  6.2.2. 

In  the  general  case,  the  occurrence  of  a  variable  might  be  abstracted  over  several  variables, 
possibly  over  all  variables  declared  by  the  new  parameter  block  which  satisfy  the  subordination 
condition  we  have  described  in  Section  6.2.2.  In  the  example  above,  for  p  =  x:  term  T,u:x  =^ 


148 


CHAPTER  6.  OPERATIONAL  SEMANTICS  FOR  A4+ 


149 


x  we  write  (E'  p)/E.  The  notation  of  E  p  is  introduced  to  facilitate  the  presentation.  Again, 
we  loose  the  underlines  of  the  parameter  variables  when  execution  this  variable  application.  It 
is  defined  as  as  follows. 

Definition  6.6  (Variable  application)  Let  E1  be  well-typed  of  type  A2 

E1  ■  =  E 1 

E1  (x:Aup)  =  ( E '  ir)  p  if  A1  A2 
E’  {x  :  Ai,  p)  =  E1  p  if  Ai  A2 

We  begin  now  with  the  formal  definition  of  the  Tip1.  (T;  A)  =  T';  A'  relation.  The  reader 
should  be  aware,  that  neither  T;  A  nor  T;;  A'  are  meta-contexts  by  themselves,  they  are  merely 
valid  extensions  of  some  meta-context  To;  Ao-  Formally,  it  always  holds  that 

b  To ,/£>i,T  abstract 
To,  pL,  T  h  Ao,  A  meta 

and  the  same  for  the  abstracted  versions: 

h  To,  T'  abstract 
To,  T'  h  Ao,  A'  meta 

The  basic  idea  of  the  definition  of  npL.  (T;  A)  is  therefore  to  traverse  T,  abstract  it  to 
T',  and  simultaneously,  replace  all  occurrences  of  abstracted  variables  by  the  their  abstracted 
counterparts  in  the  rest  of  T  and  in  A. 

Judgment 


Meta-context  abstraction:  npL.(T;A)  =  T';A' 


Rules 


- rempty 

n  /.(•;•)  =  ■;• 

H pL.  ([(s  p)/x] T;  [(x  p)/x] A))  =  T';  A'  UpL.  (■;  A)  =  •;  A' 

- rass  - rmeta 

Tip1,  {x  :  A,  T;  A)  =  x  :  Up.  A,  T';  A'  UpL.  (•;  x  €  F,  A)  =  •;  x  G  IIpL.  F,  A' 

Meta-context  abstraction  is  used  in  the  definition  of  the  meta  logic  M  specifically,  for  the 
definition  of  the  Lnew-rule.  When  executing  a  proof  term,  we  calculate  an  instantiation  for  those 
variable  declarations,  as  we  discuss  in  Section  6.5,  and  those  instantiations  must  clearly  be  ab¬ 
stracted  accordingly.  For  obvious  reasons,  we  call  this  operation  meta-substitution  abstraction, 
and  write  A pL.  5)  =  8f .  Note  that  the  instantiation  is  only  a  tail  of  real  meta-substitutions, 
i.e.  they  are  partial  in  the  same  sense  as  meta-contexts  are  extensions  of  real  meta-contexts,  too. 

Judgment 


Meta-substitution  abstraction:  A pL.  (rf);  5)  =  'ipf;  8f 
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Rules 

■ :  - rpempty 

ApL.(-;-)  =  S- 

\pL.(t,6)=iJ>';6'  A  pL.(-,6)  =  -,S' 

- rpass  - rpmeta 

A pL.  (. M/x ,  \j>\  S)  =  A p.  M/x,  V/;  S'  A pL.  (•;  P/x,  S)  =  •;  ApL.  P/x.  S' 

The  reader  might,  already  suspect  that  if  T';  A1  is  a  valid  meta-context,  and  in  \E,,)  //':  A' 
the  meta-substitution  extension  instantiates  the  meta-context,  extension  'I';  A  then  we  can 
safely  abstract  the  variable  block  pL.  As  result  we  obtain  a  new  meta-substitution  extension 
A pL.  {'ll*;  8)  declared  for  lip7'.  (®;  A).  This  result  is  one  of  the  basic  ingredients  to  the  proofs  of 
type  preservation  for  the  operational  semantics. 

Lemma  6.7  (Extension  abstraction) 

1.  If  £  ::  'S'o.pV  I"  Vh  ,p/p,ij>;S  G  4'i,/0L,$;A 
and  V  ::  $0;-  P  V’lP  €  Tj;  • 
then  ®0;  ‘  b  V;/>  ^  b  ®i,  T';  A' 
and  ^ !/;  (5'  =  ApL.  (?/>:  <5) 

and®';  A'  =  II/A(®;A) 

2-  U  tf'o,  p/y;  •  l-  Vh , p/p;  <5  g  , pL;  A 

and  2?  ::  ®o;  *  b  Vh;  *  E  ®i;  * 
i/aen  ®o>  *  b  <£'  G  ®i;  A' 
and  •;  =  ApL.  (•;  8) 

and  •;  A'  =  Up1".  (•;  A) 

Proof:  by  induction  on  ®(1),  A(2),  using  Lemma  6.5.  A  detailed  proof  can  be  found  in  Ap¬ 
pendix  B.1.1.  □ 

This  concludes  our  discussion  about  abstraction  and  we  continue  with  the  presentation  of  a 
few  weakening  results. 

6.2.3  Weakening 

The  weakening  results  for  LF  from  Section  6.2.1  generalize  directly  to  weakening  results  for 
meta-level  constructs  such  as  generalized  contexts,  formulas,  meta  contexts,  and  proof  terms. 
To  establish  these  results  is  the  goal  of  this  subsection. 

We  begin  with  the  presentation  of  a  weakening  result  for  generalized  substitutions.  If  a 
generalized  substitution  has  co-domain  ®  and  extends  ®  then  —  as  expected  —  the  same 
substitution  is  still  well-defined  only  in  the  extended  co-domain  ®'.  Similarly  to  Section  6.2.1, 
we  write  ®  <  for  T'  extends  T  and  again,  we  implicitly  assume  that  b  ®  abstract  and 
b  ®'  abstract.  stems  from  ®  by  inserting  new  assumption  variables  and  variable  block 
declarations. 
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Lemma  6.8  (Weakening  of  generalized  substitutions) 

and  4/7  <  4/7/ 
then  b  E  4/ 

Proof:  by  induction  on  V  using  Lemma  6.1.  □ 

Recall  from  Section  5.4.3,  that  the  well-formedness  judgment  for  formulas  is  defined  with 
respect  to  a  generalized  context  4b  Naturally  a  weakening  result  for  proof  terms  implicitly 
requires  that  weakening  of  meta  contexts  is  admissible  which  itself  relies  on  a  weakening  result 
for  formulas.  The  last  lemma  can  be  easily  proven  by  induction  on  the  structure  of  the  formula. 

Lemma  6.9  (Weakening  of  formulas) 

IfV  ::  4'  b  F  formula 

and  4/  <  4>7 

then  4/7  b  F  formula 

Proof:  by  induction  on  V ,  using  Lemma  6.1.  □ 

The  next  goal  is  to  establish  a  similar  weakening  result  for  proof  terms.  Proof  terms  may 
be  open  with  respect  to  4>;  A.  In  particular,  proof  terms  are  defined  in  terms  of  declarations 
D  and  explicit  meta  substitutions  'ip]  5  for  which  we  show  the  weakening  property  first.  From 
the  definition  of  meta  contexts  in  Section  5.5.2,  it  follows  immediately,  that  4/  is  a  generalized 
context.  How  shall  we  define  context  extensions  of  meta  contexts?  We  follow  the  same  pattern 
as  above  and  say  that  4/7;  A7  extends  4>;  A,  if  4/  <  4b  and  A7  results  from  inserting  new  meta- 
assumptions  of  the  form  xGf  into  A.  In  this  case  we  write  A  <  4b;  A7,  where  we  always 
implicitly  assume  that  the  left  and  right  hand  sides  of  this  notation  are  all  well- formed  meta¬ 
contexts.  Naturally,  the  argument  that  this  construction  works  relies  on  the  shoulders  of  the 
weakening  property  for  meta-contexts. 

Lemma  6.10  (Weakening  of  meta-contexts) 

IfV  ::  4/  b  A  meta 
and  4/  <  4b 
then  4b  b  A  meta 

Proof:  by  induction  on  £>,  using  Lemma  6.9.  □ 

The  weakening  lemma  for  proof  terms  cannot  be  proven  directly,  since  they  are  mutually 
dependent  on  declarations  and  explicit  meta  substitutions.  Consequently,  the  generalized  form 
of  the  theorem  must  provide  extra  cases  for  those  two  constructs. 

Lemma  6.11  (Weakening  of  proof  terms) 

L  //D::$;A;HbPEb 
and  \F;  A  <  4/7;  A7 
then  4/7;  A7;  E\~  P  E  F 
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8.  //  P  ::  4>;  A;  £  b  D  E  4>";  A" 

and  4';  A  <  4>';  A' 
then  $';A';Eh  D  E  *";A" 

5.  //£>::  4b;A' b  </>;<*  £4*;  A 
and  A'  <  A" 
then  4b';  A"  b  5  E  4q  A 

Proof:  by  induction  on  £>(1),  X>(2),  and  P(3).  □ 

Weakening  is  an  essential  property  which  is  used  implicitly  and  explicitly  over  and  over 
throughout  the  entire  theoretical  investigation  of  this  thesis,  especially  when  we  examine  the 
interaction  of  substitutions  and  derivations  in  the  meta-logic  M.\  which  will  be  discussed  in  the 
next  subsection. 

6.2.4  Substitution 

Substitutions  are  omnipresent  in  our  investigation.  The  subject  of  the  case  construct  in  Sec¬ 
tion  5.6.2,  for  example,  is  defined  by  a  pair  of  explicit  substitutions;  one  which  collects  instan¬ 
tiations  for  assumptions  and  variable  blocks,  and  another  which  explicitly  tracks  instantiations 
of  meta-variables.  The  first  substitution  is  an  generalized  substitution,  and  the  second  a  meta 
substitution.  Third,  there  are  lemma  instantiations.  Recall  that  any  proof  is  parametrized  by  a 
lemma  repository  5  which  contains  a  list  of  lemmas,  not  necessarily  proven  yet,  but  which  may 
be  used  during  a  meta-proof.  All  in  all,  there  are  three  variables  concepts  and  consequently  three 
different  notions  of  substitutions.  In  this  subsection  we  are  concerned  with  the  application  and 
interaction  of  the  different  kind  of  substitutions  with  context  schemas,  formulas,  abstractions, 
and  proof  terms. 

Context  schemas 

Context  schemas  are  abstract  descriptions  of  regularly  formed  parameter  contexts.  Every  the¬ 
orem  is  quantified  by  one  outermost  context  schema.  In  Section  5.3  for  example,  we  have 
specified  a  precise  criterion  of  how  to  judge  if  a  parameter  block  is  an  instance  of  a  block 
schema  SOME  C\.  BLOCK  C 2-  First,  all  SOM  E-parameters  must  be  instantiated  by  well- 
typed  objects,  well-typed  in  some  generalized  context  T.  This  process  is  referred  to  as  SOME- 
instantiation.  The  parameter  block  in  question  must  then  be  ^-equivalent  to  the  BLOCK- 
construction  of  this  block  schema.  These  two  constructions  are  used  in  the  Lnew-rule.  It  is  this 
setting  for  which  we  need  a  substitution  property. 

Lemma  6.12  (Substitution  lemma  for  context  schemas) 

1.  If  T>\  ::4'ba:<7i 
and  4''  b  ip  E  4> 
then  4/'  b  a  o  :  C\ 

2.  If  T  b  [a\C  ==  p 
arid  4''  b  xp  E  4' 

then  4;/  b  [a  o  ^]C  =  [%j)\p 

Proof:  by  structural  induction  on  V{1)  and  (7(2)  using  Lemma  6.2.  □ 
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Formulas 

The  application  of  generalized  substitutions  to  formulas  F[ip]  =  Ff  is  easily  defined. 


(Vx  :  A.F)[ip\ 

=  Vx  :  A[ip\.  F[ip,x/x] 

(sAII) 

(n  pl.fm 

=  n/[#F[^,P[v>]/p] 

(sAIIP) 

(3a:  :  A.  F)  [xp j 

=  3x  :  A[ip].  F[ip,x/x] 

(sEx) 

COM 

=  T 

(sTrue) 

(FlAF2M 

=  F1[^]AF2[ip] 

(sAnd) 

It  is  similarly  easy  to  see  that  substitution  application  is  sound. 

Lemma  6.13  (Substitution  lemma  for  formulas) 

If  V  ::  vp  h  F  formula 
and  V  ::  \E'/  b  if  E  ^ 
then  'F'  h  F[if\  formula . 

Proof:  by  induction  on  V  using  Lemma  6.2.  □ 

Note,  that  general  formulas  are  always  closed.  Therefore  they  do  not  have  to  be  considered 
for  any  kind  of  substitution  operation.  The  careful  reader  will  undoubtedly  have  noticed,  that 
substitutions  as  used  for  example  in  the  3R  or  VL  rules  are  not  completely  specified.  In  the 
rule  3R,  for  example  we  write  M/x  as  substitution,  but  we  really  mean  id^.M/x.  We  have 
committed  to  this  simplification  in  order  to  keep  this  discussion  short  and  accessible.  Finally, 
we  derive  a  limited  commutativity  property  for  substitutions. 

Lemma  6.14  (Properties  of  substitution) 

1.  F[M/x][if\  -  F[if,x/x][M[if]/x] 

f[p'/p\  bl’}  =  FbP,  p/p]  W\p' Ip] 

Proof:  by  induction  on  F.  □ 

Meta  assumptions 

Meta  assumptions  lists  are  lists  of  possibly  open  formulas.  They  are  defined  with  respect  to 
a  generalized  context  $  h  A  meta.  The  notion  of  substitution  application  to  formulas  can  be 
easily  generalized  to  those  lists  for  which  we  write  [if] A  =  A'. 

[if]-  =  *  (sassempty) 

[^](x  gF,  A)  =  x  6  F[if\,  [if] A  (sasscons) 

In  this  definition  we  use  another  simple  trick  in  order  to  facilitate  the  presentation.  Even  though 
assumption  list  typically  grow  to  the  right,  we  treat  them  in  the  definition  as  if  they  do  grow  to 
the  left.  Even  though  not  necessary  here,  this  trick  makes  subsequent  definitions  structural. 

Lemma  6.15  (Substitution  lemma  for  assumptions) 

J/D::  A  meta 

and  V  ::  'I''  h  if  E  'I' 
then  1F/  h  [if]  A  meta. 
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Proof:  by  induction  on  V  using  Lemma  6.13.  □ 

Any  meta  substitution  can  be  extended  in  such  a  way  that  it  acts  as  identity  substitution 
on  any  domain  extension.  Note,  that  the  co-domain  must  be  extended  accordingly.  This  lemma 
is  trivially  true,  but  it  requires  some  work  and  a  few  generalizations  because  of  the  complicated 
definition  of  meta-substitutions. 

Lemma  6.16  (Identity  extension  for  declarations) 

1.  //  ^"  b  0  g  4> 
and  b  4/,  4/'  meta 

then  4'",  [0 ]4b  b  'll;,  idy  G  4',  4b 

2.  /fX>::$";A"b0;£  G$;A 
and  b  4',  4b  m,eta 

then  4'",  [0]4b;  A"  b  0,  5  G  4*.  4b;  A 

5.  If  4'";  A"  b  0;  G  4>;  A 
and  b  4>,  4b  meta 
and  4',  4/'  b  A,  A'  abstract 

then  4/",  [^] 4^';  A",  [< if ,  ib^A'  b  -0?  G  4',  4b;  A,  A' 

Proof:  by  structural  induction  on  4b(l),  Z>(2),  and  A'(3),  using  Lemma  6.9,  Lemma  6.11  (3), 
and  sabstract,  and  Lemma  6.13.  □ 

Back  in  Section  6.2.2  we  have  discussed  how  to  abstract  new  meta-assumptions.  How  does 
abstraction  interact  with  substitution  application?  Essentially,  the  answer  is  a  generalization  of 
Lemma  6.14. 

Lemma  6.17  (Substitution  lemma  and  abstraction) 

[ijj](UpL.  ('I'";  A"))  =  n({tjj]p)L.  ([</>,  [4>]p/ pyi’" ;  [ij>,  W\p/p,  i(k”'} A") 

Proof:  by  structural  induction  on  />.  □ 

This  concludes  our  presentation  of  substitution  properties  for  formulas.  We  continue  the 
discussion  and  investigate  of  how  substitutions  can  be  applied  to  proof  terms. 

Proof  terms 

There  are  two  entirely  independent  notions  of  substitution  application  associated  with  proof 
terms.  First,  there  is  lemma  instantiation.  Before  a  program  can  be  executed,  we  must  guarantee 
that  it  doesn’t  contain  any  free  meta-hypotheses.  Meta-hypothesis  can  only  be  instantiated  by 
general  proof  terms.  Second,  there  is  meta-substitution  application  which  is  used  for  example 
when  applying  a  proof  term  to  some  argument  object.  The  operational  semantics  we  define 
below  immediately  carries  out  substitution  application;  in  doing  so,  it  is  different  from  previous 
versions  of  Mff  [SP98]  where  the  operational  semantics  is  defined  via  environments. 

The  idea  behind  lemma  instantiation  has  already  been  explained  in  Section  5.7.  In  the 
following  we  discuss  how  it  is  carried  out.  A  lemma  repository  consists  of  free  meta-hypotheses. 
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By  instantiating  them  with  closed  general  proof  terms,  we  can  turn  a  hypothetical  into  a  non- 
hypothetical  meta-proof.  Formally,  we  write  Q[£\  =  Q\  P[£]  =  P\  and  D[£]  =  Df  to  apply 
the  lemma  instantiation  (  to  a  general  proof  term,  proof  term,  and  to  a  list  of  declarations, 
respectively. 


General  proof  terms:  x[£] 

= 

ew 

(•Hyp) 

(bo xs.pm 

box  S.  P 

(iCtx) 

Proof  terms:  iVar)x[£] 

= 

X 

(Ax:  A.  P)^] 

= 

Ax  :  A.  P[£] 

(iFun) 

(a  PL.pm 

= 

A  PL.P[(] 

(iFunP) 

(M,pm 

< M,P[t ;]> 

(ilnx) 

OK] 

= 

0 

(iUnit) 

(let  D  in  P)[£] 

= 

let  D[£]  in  P[£] 

('Let) 

iiixsF.pm 

= 

MxGP.P[C] 

(iRec) 

<A,p2)K] 

= 

(Pii&P2m 

(iPair) 

(case  (?//;  S')  of  D)[£] 

— 

case  ('*//;  Sr)  of  fl[£\ 

(iCase) 

Declarations:  •[£] 

= 

(iDone) 

((x:A,y£F)  =  P,Dm 

= 

(x:A,y  eF)=P[£\,D[(,] 

(iSplit) 

(xeF  =  PM,D)[£ } 

= 

x£F  =  P[t;]  M,D[$ 

C'App) 

(xeF  =  Pp,Dm 

= 

xGP  =  P[C]  p,D[Z] 

(iAppP) 

{vpL-m\ 

= 

»pL-m 

(iNew) 

(x  6  F  =  fj  P,  D)[£] 

= 

X.€P  =  7T1  P[C},D[S] 

(iPN) 

(xGF  =  7r2P,D)[£] 

X€P  =  7T2P[e],I>K] 

(iPir) 

(y  €  F  =  lemma  Q,  D)[(\ 

= 

y  G  F  =  lemma  Q[£],  D[£] 

(iLem) 

And,  as  one  might  already  expect,  the  application  of  lemma  instantiations  is  sound: 

Lemma  6.18  (Soundness  of  lemmas  instantiation) 

IfV::^;A;EhPeF 
and  V  ::  5'  h  £  6  H 
ften^AjS'hP^GF. 

Proof:  by  induction  on  D.  □ 

Hypothetical  meta-proofs  can  be  turned  non-hypothetical  by  providing  general  proof  terms 
for  each  meta-hypothesis.  As  a  matter  of  fact,  all  future  considerations  involving  the  operational 
semantics  require  S  to  be  empty.  In  particular,  only  if  they  are  defined  with  respect  to  an  empty 
lemma  repository,  programs  P  and  general  programs  Q  are  executable. 

In  the  remainder  of  this  subsection  we  are  concerned  with  the  application  of  a  meta¬ 
substitution  ip;  5,  which  replaces  variables  in  4/  and  meta-assumptions  in  A  simultaneously. 
Meta-substitutions  can  only  be  applied  to  programs  and  declarations.  Clearly,  there  is  no  need 
to  apply  them  to  general  programs  since  they  are  always  closed  by  definition.  In  addition  they 
need  not  be  applied  to  cases  ft  because  of  the  choice  of  case  subjects;  a  case  subject  is  an  explicit 
substitution  which  absorbs  all  substitution  applications  by  composition  while  shielding  the  list 
of  cases  ft  from  substitution  application.  Only  when  a  case  construct  is  operationally  executed, 
i.e.  one  of  its  cases  is  selected  and  matched  against  (see  Section  6.4),  the  newly  derived  matching 
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substitution  is  applied  to  its  body.  For  the  application  of  a  meta-substitution  to  programs  we 
write  P[0;<5]  =  Pf  and  to  declarations  D[ijr,S]  ~  Df.  Both  judgments  are  mutual  recursive  and 
defined  by  the  following  rules. 

The  construction  of  id^'  and  id^y  in  the  rule  sLet  can  be  easily  calculated  while  applying 
0;  S  to  D.  In  essence,  it  summarizes  all  newly  introduced  assumptions  and  meta-assumptions 
of  D[x/;;6].  Alternatively,  we  could  have  made  the  calculation  of  id^//  and  id/y  explicit  which 
would  have  noticeably  cluttered  the  presentation.  Note  the  use  of  meta-substitution  composition 
in  the  rule  sCase,  as  described  above.  The  composition  itself  is  described  by  Definition  5.19. 
The  subject  of  case  in  rule  sCase  is  an  explicit  substitution,  and  substituting  into  a  case  object 
reduces  to  substitution  composition. 


x[0;  S]  =  S (x)  (sVar) 

(A:/;  :  A.P)[ij);8]  =  Ax  :  P[iJ),x/x;5]  (sFun) 

(A pL .  P)[ij)\  5]  —  Hbl’]p)L- bl>]p/Pifi\  (sFunP) 

(M,P)[^5\  =  (MIV4P[<M>  (slnx) 

OhM  =  0  (sUnit) 

(let  D  in  P)[V>;  (5]  =  let  D[i/r,  g\  in  Pty,  id#/;  6, idA/]  (sLet) 

where  'F';  A'  are  newly  introduced  assumptions  by  D 
(fix  £  F .  P)[i/r,  5]  =  /ix  £  F\nj)\.  P[0;  6,  x/x]  (sRec) 

(Pi7P2)[^S\  =  (Pl[^:S],P2[^S])  (sPair) 

(case  (t//;  S')  of  S]  =  case  (0';  S')  o  (0;  (5)  of  (sCase) 

■[0;<5]  =  *  (sDone) 

((.x  :  A,  y  G  F)  =  P,  D)[i/r,  5}  =  {(x  :  A[?/>].y  E  F[V»,  x/x])  =  P[iJk  <S],  D[xp,  x/x;  5,  y/y])  (sSplit) 

(x  G  F  =  P  M,  D)[ip;  6]  =  (x  G  F[xp]  =  P[ij>;  (5]  6 ,  x/x])  (sApp) 

(x  G  F  =  P  p,  D)[tp;  5}  =  (x  G  P[V>]  =  P[i/r,  6]  [ip]p,  D[ip;  5,  x/x])  (sAppP) 

{upL.D)[^;S\  =  v  ([ij:]p)L.D[ij>,[i>\p/p;S]  (sNew) 

(xeP  =  7r1  P,D)[ip;6]  =  (xGF[^]  =  ttj  P[iP;6],D[iP;6:x/x])  (sPil) 

(x  €  F  =  7T2  P,  D)[ip\  <5]  -  (x  £  F[x/)]  =  n2  P[i/y,S],D[i/);S,x/x])  (sPir) 

(y  E  F  =  lemma  Q,  D)[ip;  5]  =  (y  G  F  =  lemma  Q,D[^;  6,  y/y])  (sLem) 


Clearly,  closely  related  to  the  soundness  property  of  meta-substitution  application  is  the 
soundness  of  meta-substitution  composition.  But  before  we  address  the  formulation  of  the 
substitution  lemma,  we  state  some  very  trivial  facts  on  how  to  access  variable  blocks  and  proof 
terms  in  a  meta-substitutions. 

Lemma  6.19  (Lookup) 

1.  IfV  ::  \~tp;S  G  tf;A 

and  A(x)  =  F 
then  A'  h  «S(x)  €  Fty;] 

//P::t';A' h^;<5G^;A 

and  /  6  $ 

then  there  exists  a  p,L  G  'Id 
and  [i/j\p  =  p1. 

Proof:  by  induction  on  V(l)  and  T>( 2).  □ 
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Everything  is  prepared  for  the  proof  of  the  substitution  lemma  for  proof  terms:  If  a  proof  term  P 
is  well- typed  in  some  meta  context  T;  A  and  there  exists  a  meta-substitution  xp;  8  with  the  same 
domain  then  it  is  applicable  and  P[xp;  <!>]  is  a  well-typed  proof  term  in  the  meta-logic.  Clearly, 
this  property  is  not  directly  provable,  since  we  must  first  generalize  the  lemma  to  also  apply  to 
declarations  and  to  substitution  composition. 

With  the  machinery  developed  so  far  at  hand,  the  proof  of  the  generalized  substitution 
lemma  is  a  simple  induction  on  the  various  typing  derivations. 

Lemma  6.20  (Substitution  lemma  for  proof-terms) 

1.  7/P::  $;AhPeF 

and  V  ::  T';  A'  b  ?/>;  <5  €  T ;  A 
then  T';  A'  b  P[xp;8]  e  F[xp}. 

2.  7/D::$;AhDe  \b";  A" 
andV  ::  T';  A'  b  xp;8  €  T;A 

then  47';  A'  b  D[xp;  8}  e  &}{%";  A"). 

3.  If  V i  ::  T2;A2  b  €  ^i;Ai 
and  T>2  ”  473;  A3  b  xp2\ 82  €  4/2;  A2 

then  T3;  A3  b  (xpi;8i)  o  (xp2:82)  G  4>i;  Ai 

and  (ipi;  £1)  o  (^2^2)  =  (xpi  0  V’ 2><^)  for  some  meta-substitution  8' 

Proof:  by  induction  on  V( l),£>(2),X>i(3)  using  Lemma  6.19,  Lemma  6.16,  Lemma  5.21, 
Lemma  6.2,  Lemma  6.14,  Lemma  6.12,  Lemma  6.17,  Lemma  6.23,  and  Lemma  5.18  A  detailed 
proof  can  be  found  in  Appendix  B.1.2.  □ 

The  third  part  of  this  lemma  guarantees  that  the  composition  of  two  meta-substitutions  as 
defined  in  Definition  5.19  is  well-defined. 

Corollary  6.21  (Compositions  of  meta-substitutions) 

//£>!  ::  '4'2;A2  b  V’i^i  <E  Ti;Ai 

and  V 2  ::  ^3;  A3  b  xp2\ 82  €  4/2;  A2 

then  473;  A3  b  (Vh;^i)  0  (^2^2)  G  4>i;  Ai 


Proof:  Follows  directly  from  Lemma  6.20.  □ 

The  next  few  lemmas  are  of  technical  nature.  They  summarize  simple  properties  needed  for 
the  type  preservation  proof  which  are  described  below.  The  first  of  these  technical  lemmas 
guarantees  the  existence  of  an  identity  meta-substitution. 

Lemma  6.22  (Identity  meta-substitution) 

If  b  $  abstract 

and  4/  b  A  meta 

then  \b;  A  b  idy;  •  €  47;  • 

Proof:  follows  directly  from  the  rule  sabstract.  □ 
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And  the  second  technical  lemma  is  a  substitution  lemma  for  variable  blocks.  In  essence,  it  is  a 
generalization  of  Lemma  6.2. 

Lemma  6.23  (variable  blocks  convertibility  under  substitution) 

if  T'  b  i/j  e  ® 

and  V  ::  4/  h  p  =  pf 

then  T'  b  [^;]p  =  ty;]// 

Proof:  by  structural  induction  over  P,  using  Lemma  6.2.  □ 

This  concludes  our  description  of  substitution  properties  for  the  various  syntactical  concepts 
defined  in  M Jb  Before  we  begin  with  the  specification  of  its  operational  semantics,  we  discuss 
context  schema  subsumption  and  matching.  Context  schema  subsumption  judges  if  a  lemma 
is  applicable  by  examining  if  the  regular  worlds  in  which  the  caller  and  the  callee  are  defined 
are  compatible.  Matching  is  a  technique  that  selects  a  case  from  £2  and  effectively  applies  it. 
Simultaneously,  we  provide  syntactic  criteria  for  two  of  the  altogether  four  side  conditions  of  the 
proof  calculus  of 

6.3  Subsumption 

Proof  terms  can  be  interpreted  as  recursive  functions  and  thus  appeals  to  lemmas  corresponds  to 
functions  calls.  This  feature  is  supported  by  M and  has  been  discussed  in  depth  in  Section  5.7. 
But  not  every  proof  can  apply  any  lemma;  we  must  first  check,  if  the  regular  world  extensions 
of  the  caller  and  callee  are  compatible:  the  context  schema  of  the  calling  realizer  must  subsume 
the  context  schema  of  the  called  realizers,  as  expressed  by  side  Condition  (5.4).  In  this  thesis, 
we  specify  a  very  simply  syntactic  criterion  for  context  subsumption,  and  we  leave  the  design  of 
more  sophisticated  criteria  to  future  work. 

In  general,  subsumption  is  undecidable.  The  criterion  specified  here  is  expressed  in  form  of  a 
judgment  S\  C  S2  and  two  inference  rules.  Sj  is  the  context  schema  of  the  caller,  So  the  context 
schema  of  the  callee. 

- subempty  - subtriv 

•  C  S  ScS 

If  a  property  is  to  be  proven  for  closed  objects  then  any  other  lemma  can  be  applied,  and  if 
the  property  is  to  be  proven  for  open  objects  then  only  lemmas  can  be  applied  which  are  defined 
with  exactly  the  same  context  schema.  Of  course,  this  condition  is  quite  restrictive,  but  it  is 
powerful  enough  to  allow  the  formalization  of  all  lemmas  we  have  encountered  in  Chapter  4  and 
many  more. 

Lemma  6.24  (Soundness) 

IfV::S}cS2 

then  [Si)  C  [S2] 

Proof:  by  case  analysis  of  V.  □ 

Any  refinement  of  the  subsumption  relation  has  to  satisfy  this  soundness  property.  In  the 
next  section  we  present  another  syntactic  criterion,  called  strictness. 
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6.4  Matching 

One  of  fundamental  operations  necessary  for  executing  proof  terms  is  matching.  Once  the 
operational  semantics  encounters  a  case  statement,  it  must  select  a  case  that  is  applicable.  In 
Section  5.6.2  we  have  already  informally  discussed  how  this  operation  is  executed.  In  essence 
we  have  defined  a  pattern  matching  operation,  where  patterns  are  expressed  by  substitutions. 
A  case  is  applicable,  if  the  pattern  matches  the  current  environment. 

Having  defined  pattern-matching  for  recursive  functions  in  this  generality  raises  the  question, 
how  we  can  be  sure  that  we  can  decide  if  a  case  is  applicable  or  not.  This  might  sound  like  a  small 
technicality,  but  it  is  not!  In  particular,  we  cannot  allow  the  body  of  a  case  to  depend  on  variables 
that  will  not  be  instantiated  by  pattern-matching.  Informally,  we  have  already  addressed  this 
issue  in  Section  5.6.2  which  led  us  to  the  side  condition  (5.3)  associated  with  the  alt-rule.  A  case  is 
only  then  valid,  if  all  variables  that  may  occur  in  the  body  are  instantiated  by  pattern-matching. 
The  side  condition  (5.3)  unfortunately  defines  only  a  semantic  criterion  for  which  we  develop  a 
syntactic  criterion  on  substitutions  called  strictness.  Intuitively,  a  substitution  is  strict,  if  each 
variable  from  its  co-domain  occurs  in  a  strict  position  in  the  substitution.  Strictness  extends 
the  pattern  condition  as  defined  by  Miller  [Mil91]  in  a  straightforward  way. 

Consider  for  example  an  execution  trace  of  a  recursive  function,  where  the  executing  machine 
is  deciding  if  the  case  ( lI;  *  c>  ip  h  P)  6  f!  is  applicable.  If  ?/  is  the  current  environment,  according 
to  Condition  (5.3)  we  can  decide  if  ip  matches  rj  or  not.  Furthermore,  if  it  matches  all  variables 
in  T'  will  be  instantiated.  If  all  variables  declared  in  T'  occur  in  ip  in  form  of  a  pattern,  i.e.  each 
variable  is  applied  to  pairwise  distinct  local  parameters  only,  the  substitution  is  strict  since  the 
more  general  operation  of  pattern  unification  is  decidable  [Mil91,  DHKP96]. 

Unfortunately,  in  our  setting,  the  substitution  ip  is  in  general  not  a  pattern  substitution.  As 
an  example  consider  Example  5.16  (page  129).  ip2  is  not  a  pattern  substitution,  because  (Ey  E2) 
is  not  a  pattern;  and  it  is  not  a  pattern  because  E2  is  not  a  local  parameter.  As  already  pointed 
out  by  Virga  [Vir99],  this  observation  is  quite  common  when  one  uses  higher-order  representation 
techniques.  For  this  reason,  the  decidability  results  from  [Mil91]  are  not  directly  applicable  to 
our  setting. 

A  possible  generalization  of  patterns  is  already  suggested  implicitly  by  Example  5.16.  Even 
though  Ei  E2  is  not  a  pattern  on  its  own,  the  variables  Ey  and  /A  occur  elsewhere:  specifically, 
they  occur  in  form  of  patterns  in  the  object  (app  (lam  (A*  :  term  T.  Ey  x ))  E2)  which  is  to  be 
substituted  for  E.  Matching  this  term  with  any  other  term  will  either  fail  (due  to  a  constant 
clash),  or  it  will  succeed  and  thereby  properly  instantiating  Ey  and  E2.  We  call  these  occurrences 
of  Ey  and  E2  in  ip2  strict  occurrences.  In  the  case  of  success,  the  non-pattern  Ey  E2  becomes 
then  instantiated,  it  /3-reduces,  and  the  matching  algorithm  can  proceed.  In  summary,  even 
though  ip2  contains  non-pattern  occurrences,  it  can  be  seen  as  such  as  long  as  there  are  other 
pattern  occurrences  of  the  same  variable  in  ip2.  A  constraint  mechanism  allows  us  to  locally 
reorder  matching  goals,  in  order  to  guarantee  that  strict  occurrences  of  variables  are  matched 
before  non-strict  occurrences.  This  way,  we  can  indeed  enforce  the  decidability  of  matching,  as 
long  as  every  variable  declared  in  T'  occurs  in  a  strict  position  in  ip. 

This  section  is  organized  as  follows.  First,  in  Section  6.4.1  we  introduce  an  alternative 
formulation  of  LF  based  on  the  spine  calculus  inspired  by  [CP97b].  Using  spine  notation  we 
introduce  a  constraint  based  matching  algorithm  in  Section  6.4.2  and  a  precise  formal  definition 
of  strictness  (as  syntactic  criterion  for  side  condition  (5.3))  in  Section  6.4.3.  Following  this 
discussion  we  demonstrate  that  the  matching  algorithm  is  sound  (in  Section  6.4.4)  and  complete 
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(in  Section  6.4.5)  provided  that  t/l  the  generalized  substitution  describing  a  case,  is  strict  with 
respect  to  its  co-domain.  Finally  we  assess  results  in  Section  6.4.6. 

6.4.1  Spine  Calculus 

One  of  the  main  drawbacks  of  the  standard  formulation  of  LF  for  the  purpose  of  matching 
and  unification  is  that  it  is  difficult  to  describe  what  the  head  of  a  term  is.  Typically,  the 
head  is  buried  under  several  applications.  However,  the  rules  defining  unification  or  matching 
algorithms  depends  crucially  on  the  head  of  a  term.  For  instance,  failure  due  to  a  constant  clash 
is  triggered  by  examining  the  head  of  a  term  and  not  its  arguments. 

Consider  an  attempt  to  match  two  terms  (lam  (A:r  :  term  T.E  .r))  and  ((app  E\)  E 2)  (we 
intentionally  insert  all  typically  omitted  parentheses).  In  order  to  see  that  these  two  terms  do 
not  unify  we  have  to  traverse  several  applications  written  as  juxtaposition  in  order  to  reach  the 
heads  of  the  terms.  As  simplification,  it  is  conceivable  to  adopt  an  alternative  formulation  of 
objects,  where  the  head  of  an  atomic  object  is  explicitly  exposed,  and  the  arguments  are  given  in 
form  of  a  spine.  Usually,  this  notation  is  used  informally,  “(lam  (Xx  :  term  T.  E  .7;))”  for  example 
is  written  in  this  formulation  as  “lam  •  ((A.7;  :  term  T.  E  x):  nil)”,  where  nil  is  the  empty  spine, 
and  “((aPP  E\)  E<2)”  is  written  as  “app  •  (E\ ;  E2;  NIL)”.  In  this  subsection  we  presuppose  the 
equivalence  of  the  standard  and  the  spine  formulation  of  LF.  For  a  detailed  presentation  of 
spines  and  many  proofs,  the  interested  reader  is  invited  to  consult  [CP97b].  Canonical  forms  of 
LF  as  described  in  Section  2.4.3  are  expressible  in  spine  notation  by  the  following  grammar. 

Kinds:  K  ::=  type  |  Ux  :  A.  K 

Types:  A  a  -  S  |  n.r  :  A\ .  A2 

Objects:  M  c  ■  S  |  x  •  S  \  Xx  :  A.  M 

Spines:  S  NIL|S,;M 

Intuitively,  every  canonical  form  can  be  easily  represented  in  spine  notation,  but  the  inverse 
does  not  necessarily  hold.  The  attentive  reader  might  have  noticed,  that  LF  terms  in  spine 
notation  are  always  in  /3-normal  but  not  necessarily  in  77-long  form.  On  the  other  hand,  it  is  a 
simple  algorithm  which  transforms  a  term  in  spine  notation  into  77-long  form.  For  the  remainder 
of  this  subsection  we  assume  all  objects,  types,  and  kinds  in  spine  notation  to  be  images  of 
canonical  forms. 

6.4.2  Algorithm 

Using  spine  notation,  it  is  now  quite  straightforward  to  devise  a  matching  algorithm  modulo 
constraints.  Following  [Mil91]  we  express  a  matching  problem  by  a  state  formula,  and  the 
matching  algorithm  is  specified  by  a  set  of  transition  rules.  As  running  example  throughout  this 
subsection,  consider  the  proof  of  the  diamond  Lemma  4.6  for  parallel  reduction. 

What  happens  if  we  apply  dia  to  the  term  ((A y  :  nat.y)  .t)  and  twice  to  the  derivation  V 
which  we  define  below?  Note,  that  this  A  is  the  one  we  have  introduced  in  Chapter  2,  and  not 
the  A  defined  by  the  logical  framework.  To  make  this  example  more  concrete,  we  assume  that 
natural  numbers  are  defined.  ((A y  :  nat.y)  .7;)  is  valid  term  with  respect  to  an  assumption  list 

x  ::  term  nat,  u  ::  x  x. 
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y 


y 


V:: 


A y  :  nat.  y  =$■  A y  :  nat.  y 


plain” 


•  u 


X 


pbeta 


(Ay  :  nat.  y)  x  =>  x 

Eventually,  dia  will  terminate  and  return  the  common  reduct  e',  and  two  derivations  Kl  and 
lZr  as  the  following  diagram  shows. 


(Ay  :  nat.  y)  x 


x  x 

Tl1'  •  *  TZr 


Not  too  surprisingly,  the  result  is  e'  =  x  and  1Zl  =  Hr  =  u.  In  order  to  understand  the  subtleties 
and  details  of  this  evaluation,  we  shift  our  point  of  view  to  LF,  and  follow  the  evaluation  trace. 
First  we  represent  the  arguments  in  LF. 


r(Ay  :  nat.  y)  xn  =  app  (lam  (Ay  :  nat.  y))  x 

r  n 

V 

(Ay  :  nat.  y)  x  x  =  pbeta  (plam  (Ay  :  term  nat.  Xv  :  y  y.v))  u 

Once  the  evaluation  of 

dia  (app  (lam  (Ay  :  nat.  y))  x), 

pbeta  (plam  (Ay  :  term  nat.  Xv  :  y  y.  r?))  u, 

pbeta  (plam  (Ay  :  term  nat.  Xv  :  y  y.  u))  u) 

has  begun,  it  immediately  invokes  the  matching  algorithm  described  below.  As  a  matter  of  fact, 
with  a  little  insight  it  is  easy  to  derive  from  Example  5.16  that  the  only  applicable  case  is  the 
case  containing  ^2-  The  other  three  are  not  applicable  because  of  constant  clashes. 

We  motivate  now  how  the  matching  algorithm  works.  The  evaluation  takes  part  in  a  world 
that  has  the  following  form 


$  —  (x  :  term  nat,  u  :  x  x)L. 

In  addition  recall  from  Example  5.13,  that  the  case  statement  is  valid  in  the  generalized  context 

$  =  T  :  tp,  E  :  term  T,  El  :  term  T,  Er  :  term  T,Dl  :E  =U  El,Dr  :  E  =U  Er . 

Thus,  during  execution  all  variables  in  ^  become  instantiated,  and  the  instantiation  is  summa¬ 
rized  in  form  of  a  substitution.  As  a  matter  of  fact,  this  substitution  is  the  case  subject  and  takes 
the  role  of  a  local  environment.  For  the  scope  of  this  section  we  denote  it  with  rj  in  order  not 
to  confuse  it  with  the  other  substitutions  which  come  up  at  numerous  occasions.  We  continue 
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to  denote  the  substitution  describing  a  case  with  0.  To  make  this  example  more  concrete,  we 
assume  that  x  has  type  nat. 

$hr/  =  nat /T,  (app  (lam  (A y  :  nat.y))  x)/E,x/El,x/Er, 

(pbeta  (plain  (Ay  :  term  nat.  Xv  :  y  =$■  y.  v))  u)/Dl , 

(pbeta  (plam  (Ay  :  term  nat.  Xv  :  y  ===$>  y>v))  u)/Dr  £  4/ 

Once  executed,  the  operational  semantics  searches  through  all  cases  to  find  one  which  is  appli¬ 
cable.  For  the  purpose  of  this  example,  we  consider  only  two  cases  from  Example  5.16:  The  first 
case,  which  is  not  applicable,  is  defined  by 

if)\  =  T/T,  x/E,  x/E1  ,u/D'  ,Dr /Dr 


and  the  second  case,  which  is,  is  defined  by 

V>2  =  T/T,  (app  (lam  E\)  E2)/E,  ( Ei  E2)/E' ,Er /Er,  (phot, a  D\  D'2)/D' ,Dr /Dr . 

The  three  generalized  substitutions  y,  0 i,  and  02  have  all  the  same  domain,  but  quite  different 
co-domains.  The  challenge  for  the  matching  algorithm  is  to  select  an  applicable  case,  i.e.  a  case 
whose  co-domain  variables  can  be  instantiated  by  another  substitution  rf.  in  such  a  way,  that 
the  pair  0,  rf  is  a  valid  decomposition  of  the  original  environment  r) b  o  rf  —  y.  Clearly  rf  is  a 
generalized  substitution  whose  domain  is  4>,  i.e.  it  can  use  the  same  parameters  for  instantiations 
as  y,  and  its  domain  is  the  co-domain  of  0.  In  our  example,  the  matching  algorithm  must 
construct  a  $  h  r/  G  since  02  is  the  only  applicable  case.  Recall  from  Example  5.13  that 

^2  =  T  :  tp,  T\  :  tp,  E\  :  term  T\  — >  term  T,  E^  term  T\ , 

E[  :  term  T\  ->  term  T,  El2  term  T\ ,  Er  :  term  T, 

D\  :  Ux  :  term  T\.x  x  E\  x  E[  x,D2  :  E 2  E2, 

Dr  :  (app  (lam  Ex)  E2)  =U  Er . 


and  consequently 

rf  =  nat/T,nat/Ti,  (Ay  :  nat.  y)/E\,x/E‘2,  (Ay  :  nat.  y)/E\,x/E2,x/Er , 

(plam  (Ay  :  term  nat.  Xv  :  y  y.  ?;))/£){,  u/D2* 

(pbeta  (plam  (Ay  :  term  nat.  Xv  :  y  =>  y.  v))  u)/Dr 

In  the  remainder  of  this  subsection  we  present  the  matching  algorithm  which  computes  such  an 
rf  if  it  exists,  and  it  reports  failure ,  if  it  does  not.  As  an  example  for  the  later  case,  consider  the 
generalized  substitution  0i  from  above:  the  attempt  to  match 

V>i  =  T/T,  x  /E,x/El,  u  /D',Dr/Dr 

with 

y  =  nat/T,  (app  (lam  (Ay  :  nat.y))  x)  / E,x/E},x/Er , 

(pbeta  (plam  (Ay  :  term  nat.  Xv  :  y  y. v))  u)  / Dl , 

(pbeta  (plam  (Ay  :  term  nat.  Xv  :  y  y.  v))  u)/Dr 
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fails  because  of  clashes  in  two  places  (indicated  by  the  grey  backgrounds),  and  hence  an  rj'  cannot 
be  constructed.  Recall,  that  x  and  u  are  not  existential  variables.  They  represent  a  parameter 
block  and  therefore,  this  case  is  clearly  not  applicable. 

We  begin  now  with  the  definition  of  the  matching  algorithm  which  is  essentially  defined 
via  a  transition  relation  on  state  formulas  E  in  a  very  similar  way  to  [Mil91].  State  formulas 
are  not  to  be  confused  with  formulas  F  of  the  meta- logic  M2  as  defined  in  Section  5.3.1.  In 
the  example  above,  the  matching  algorithms  starts  with  a  state  formula  3$''.  ip2  ~  r/{T }.  The 
left-hand  side  of  the  derivation  can  mention  the  existential  variables  defined  in  T'  whereas  the 
right-hand  side  is  closed  with  respect  to  a  generalized  parameter  context  <I>.  More  specifically, 
we  use  the  notation  $  >  E  to  denote  a  specific  state  of  the  matching  algorithm. 

The  matching  algorithm  begins  then  to  decompose  ip  and  rj  in  order  to  match  its  components. 
This  gives  rise  to  new  state  formulas,  which  we  call  universal  state  formulas  and  which  we  denote 
with  U.  Universal  state  formulas  are  a  conjunction  of  equations  to  be  solved,  equations  defined 
on  objects  M\  ~  M2,  spines  Si  rj  S2,  and  types  A\  rj  A2. 

The  part  {T}  in  the  state  formula  3  T7 .  ip2  rj  ?/ { T }  represents  the  here  empty  constraint 
store.  Since  the  matching  algorithm  postpones  goals  that  lie  outside  the  pattern  fragment  as 
constraints,  they  must  be  stored  in  a  special  place.  A  list  of  constraints  is  simply  a  list  of  still 
to  be  resolved  equations,  and  is  consequently  represented  as  the  universal  formula  {{/}. 


Universal  State  formulas:  U 


Existential  State  formulas:  E 
State:  T 


(%j)  Rj  Tj)  A  U 

|  (vr.  Mi  rj  m2)  a  u 
j  (vr.  Si  «  S2)  A  17 

I  (vr.Ai «  a2)  au 

j  T 

3x:  A.E\3pL.E\U1{U2} 
<f>>  E 


The  universally  quantified  context  T  proceeding  equations  of  the  form  Mi  rj  M2,  Si  rj  S2, 
and  A\  rj  A  9  is  used  to  represent  local  parameters  and  hence  the  universal  quantifier  carries 
exactly  the  same  meaning  as  in  [Mil91].  Mi,  M2,  S\,  S2,  Ai,  and  A2  are  all  valid  in  I\  The  $ 
never  changes  throughout  the  algorithm,  but  it  is  necessary  since  it  characterizes  all  parameters 
that  have  been  introduced  by  an  extension  to  the  world. 

The  matching  algorithm  is  expressed  by  a  judgment  T\  ==»  T2,  which  reads  as  state  Ti  is 
transformed  into  state  T2.  As  for  standard  matching  and  unification  algorithms,  these  rules  are 
successively  applied  beginning  at  an  initial  state,  until  a  solved  state  is  reached.  Overall,  this 
solved  state  is  d>t>T{T}  meaning,  that  all  equations  and  all  constraints  have  been  satisfactorily 
resolved. 


Judgment 


Match  state:  7\  =>  T2 
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Rules 


mconst 

mlam 

mlocal 

mglobal 

mpat 


mnopat 


mpar 


4>  »  34'.  (Vr.  c  •  Si  «  c  •  S2)  A  Ui {U2} 

=»  4>  >  34'.  (VT.  Si  ~  S2)  A  t/i{H2} 

4>  t>  34'.  (VT.  Ax  :  Ay.  My  ta  Ax  :  A2.  M2)  A  UX{U2} 

=»  $  >  34'.  (VT.  Aj  «  A2)  A  (VI\x:  A,.M,  «M2)A  f/,{C/2} 

4>  >  34'.  (VT. x  •  Si  «  x  •  52)  A  UX{U2) 

=»  $  t>  34'.  (VT.  5i  «  S2)  A  UX{U2) 
if  x  :  A  G  T 

$>34'.(Vr.x-5i  «  x  •  52)  A  £/i{tf2} 

=>  4>  >  34'.  (VT.  5,  «  52)  A  17, {U2} 
if  x:  A  €  p  and  pL  €  4* 

$  >  34'.  (VT.  x  •  5,  «  M)  A  f/i{C/2} 

=»  4>  t>  34',.  [Axj  :A,...x„  :  A„.  M/x](34'2.  f/,  {{/2}) 
if  4'  =  4<i,  x  :  A,  4'2  and  Sx  =  (x,  ...x„)  pattern 
and  x,;  :  A,  G  T,  for  all  1  <  *  <  n 
and  all  free  variables  in  M  are  among  x\  ...  xn 

$  >  34'.  (VT.  x  •  «  M)  A  U 1  {t/2} 

=►  $>34».C/]{(Vr.x-5i  stsM)  AU2} 
if  4'  =  4»i, x  :  A,  4*2  and  S ,  is  not  a  pattern 

4>  >  34'.  (vr.Xi  •  sx  ^m-s2)  aux{u2} 

=»  $  >  34', .  [p7p](34'2.  A,  as  A'j  . . .  A  A„  «  A'n  A  VT.  5,  «  S2  A  [/,  {t/2}) 
if  4'  =  4', ,  pL,  4e2  and  p  =  xy_  :  A,  . . .  x„  :  A„ 
and  4>  =  4>,,  p'L,  4>2  and  p'  =  y\  :  A,  . . .  :  A', 

and  1  <  i  <  n 


mfam  ::  $  >  34'.  (VT.  a  •  Si  «  a  ■  S2)  A  [/,  {U2} 

=>  4>  >  34'.  (VT.  S\  ~  S2)  A  UX{U2\ 

mpi  ::  4>  >  34'.  (VT.  n.x  :  A, .  A\  «  n.x  :  A2.  A£)  A  [/,  {t/2} 

=>  4>  >  34'.  (Vr.  A,  ^A2)A  (vr,x:  Aj.A;  «A12)A  f/,{f/2} 


mnil  ::  4>  >  34'.  (VT.  NIL  «  nil)  A  U\  {U2} 

=>  4>  >  34'.  UX{U2] 

mapp  ::  4>  c>  34'.  (VT.  My,  Sx  «  M2;  S2)  A  17,  {t/2} 

=»  4>  t>  34/.  (VT.  M,  «  M2)  A  (Vr.5,«52)A  [/i{t/2} 


mempty  ::  $  >  34'.  •  ss  •  A  UX{U2} 

=►  4>>34'.f/,{[/2} 

mcons  ::  4>  c>  34'.  (7/),  M,  /x  sa  p,  M2/x)  A  C/,  { C/2 } 

=t-  4>>34'.V'~??A  M\  ~  M2  A  f7,  {C/2 } 
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Note,  that  all  but  three  rules  are  direct  reformulations  of  the  pattermmatching  (pattern- 
unification)  rules  as  presented  in  [Mil91] .  First,  mglobal  is  a  new  rule,  because  of  the  presence 
of  parameter  blocks,  which  were  not  present  in  Miller’s  investigation.  Second,  since  we  are 
concerned  with  a  standard  matching  problem  no  explicit  pruning  rule  is  necessary.  Instead, 
pruning  is  hard- wired  into  the  m pat-rule.  And  third,  since  our  matching  algorithm  is  applicable 
to  problems  outside  the  pattern  fragment,  the  m nopat  rule  is  designed  to  postpone  matching 
goals.  If  S  is  not  a  pattern,  the  equation  x  *  S  «  M  is  postponed  and  added  to  the  constraint 
store.  The  reflexive  and  transitive  closure  of  single  transition  steps  is  denoted  by  . 

Tl  =*  t2  t2  t3 

- mrefl  - mtrans 

T  =**  T  Ti  T3 


Due  to  the  presence  of  constraints,  we  are  proposing  a  two-step  matching  algorithm.  First, 
the  matching  algorithm  is  invoked  with  the  initial  state  until  it  reaches  state  T{U}  for  some 
universal  formula  U  representing  constraints.  Second,  the  matching  algorithm  starts  in  U{ T} 
and  continues  until  the  solved  state  T{T}  is  reached.  Formally,  we  write  b  T  matchable,  if  such 
a  sequence  of  transition  steps  exists. 


b  T  matchable 


$>T{T} 

- msuccess 


Clearly,  the  solved  state  T{T}  does  not  contain  any  information  about  the  form  of  the 
solution  substitution  —  that  is  the  rf  in  the  example  above  —  but  once  it  is  formally  derived 
that  b  T  matchable  holds,  it  is  simple  to  transform  its  derivation  into  a  matching  substitution 
as  we  discuss  in  Section  6.4.4.  More  general,  we  say  that  a  state  is  solvable  iff  there  exists  a 
substitution  rf  which  makes  all  equations  contained  in  the  state  equal  using  firj  equality. 

Definition  6.25  (Solution) 


rf  is  a  solution  of  if  «  r)  AU  iff  if  o  rf  =  rj  and  rf  is  a  solution  of  U 

rf  is  a  solution  of  (VT.  M\  ^  M2)  A  U  iff  Mi  [7/,  idp\  =  M2  and  rf  is  a  solution  of  U 

rf  is  a  solution  of  (VT.  A\  ~  A2)  AU  iff  A\[rf ,  idy ]  =  A2  and  rf  is  a  solution  of  U 

rf  is  a  solution  of  (VT.  Si  ~  S'2)  AU  iff  idy]  =  52  and  rf  is  a  solution  of  U 
rf  is  always  a  solution  of  T 

ff  is  a  solution  of  3T.  J7i{{72}  iff  $  b  rf  E  T  and  and  rf  is  a  solution  of  U\  A  C/2. 
rf  is  a  solution  of  $  i>  E  iff  $  b  rf  E  T  and  and  rf  is  a  solution  of  E. 


As  we  discuss  in  Section  6.4.4  the  matching  algorithm  is  sound,  i.e.  if  T  =  $  >  3$'.^  « 
77  A  T{T}  and  b  T  matchable  than  T  is  also  solvable,  but  it  is  not  necessarily  complete.  On  the 
other  hand,  if  we  restrict  T  to  be  a  strict  matching  problem  (see  Section  6.4.3),  completeness 
also  holds.  This  is  shown  in  Section  6.4.5. 
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We  return  to  the  example  from  above  and  show  the  matching  algorithm  in  operation.  Recall, 
that  we  try  to  match  *ip 2  with  rj .  In  order  to  simplify  the  presentation,  we  elide  the  prefix  <E>r>34>2- 
throughout  this  exposition. 


T/T, 

(app  (lam  E\)  E2)/ E, 
(Ei  E2)/El, 

Er/Er , 

(pbeta  D[  D'2)/D l, 


Dr/Dr 


(app  (lam  (Ay  :  rrn.y))  x)/E, 
x/El, 


x/E\ 

(pbeta  (plain  (Ay  :  term  rT~1.  Av  :  y 
(pbeta  (plain  (Ay  :  term  rr~l.  Av  :  y 


{T} 

y.v))  u)/Dl , 
y.  v))  u)/Dr 


After  repeated  applications  of  mcons,  the  substitutions  is  decomposed  into  several  smaller  equa- 


tions. 

T 

rTn 

A 

(app  (lam  E\)  E2) 

rw 

(app  (lam  (Ay  :  rrn.  y))  x) 

A 

(Ex  E2) 

X 

(6.2) 

A 

Er 

X 

A 

(pbeta  D[  D!2) 

r 

(pbeta  (plam  (Ay  :  term  rr"1.  Av  :  y  y.v))  v) 

A 

Dr 

(pbeta  (plain  (Ay  :  term  rrn.  Av  :  y  y.v))  v,){T} 

Starting  from  top  to  bottom,  each  equation  is  solved.  The  first  equation  is  removed  by  mpat 
with  rrn/T. 


(app  (lam  E\)  E?) 
A  (E[  E2) 

A  Er 

A  (pbeta  D\  D2) 
A  Dr 


(app  (lam  (Ay  :  rrn.y))  x) 
x 

X 

(pbeta  (plain  (Ay  :  term  rr"\ Ai;  :  y  ==>  y.v))  u) 
(pbeta  (plain  (Ay  :  term  rrn.  Av  :  y  y.v))  u){  T} 


Likewise  after  a  few  applications  of  mconst,  mnil,  mapp  —  ignoring  the  spine  notation  —  and 
mpat,  the  new  first  equation  is  solved  yielding  (Ay  :  rr~[.y)/E\  and  X./E2  which  simplifies  the 
matching  problem  to 


A 

A 

A 


x 

Er 

(pbeta  D[  Dl2) 
Dr 


«  x 

~  X 

«  (pbeta  (plain  (Ay  :  term  rrn.  Av  :  y  =>  y.v))  w) 

~  (pbeta  (plain  (Ay  :  term  rrn.  Av  :  y  y.v))  v){T}. 


(6.3) 


One  transition  of  mglobal  yields 


Er  &  x 

A  (pbeta  D*  I?^)  ~  (pbeta  (plain  (Ay  :  term  rrn.  Av  :  y  ==>  y.v))  u) 

A  Dr  (pbeta  (plam  (Ay  :  term  rrn.  Av  :  y  y.v))  u){T }. 

and  several  applications  of  mpat,  mconst  eventually  solve  the  entire  matching  problem.  Note 
that  even  though  (E\  E2)  in  state  (6.2)  is  not  a  pattern  the  instantiation  of  E\  and  E2  in 
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state  (6.3)  brings  it  back  into  the  pattern  fragment.  That’s  why  a  solution  of  the  problem  is 
possible  without  the  generation  of  any  constraints.  The  situation  is  entirely  different  if  the 
equations  in  the  state  (6.2)  are  reordered,  a  scenario  which  cannot  be  excluded. 


A 

A 

A 

A 

A 


T 

(Ei  E2) 
(app  (lam  E\)  E2) 
Er 

(pbeta  D\  Dl2) 
Dr 


x 

(app  (lam  (Ay  :  rrn.y))  x) 
x 

(pbeta  (plam  (Ay  :  term  rr~t.Xv  :  y  y.v))  u ) 

(pbeta  (plam  (Ay  :  term  rrn.  At;  :  y  y~v))  «){T} 


The  first  equation  is  solvable  by  mpat,  as  above,  but  the  second  is  not.  As  a  matter  of  fact,  the 
matching  algorithm  will  postpone  it  as  constraint  using  the  rule  m nopat. 


(app  (lam  Ei)  E2) 
A  Er 

A  (pbeta  D[  Dl2) 
A  Dr 


(app  (lam  (Ay  :  rrn.y))  x) 
x 

(pbeta  (plam  (Ay  :  term  rr"1.  At;  :  y  =>■  y.  v ))  u) 

(pbeta  (plam  (Ay  :  term  rr"1.  \v  :  y  =>  y.  v))  u){(Ei  E2)  k,  x) 


Eventually,  it  will  continue  as  above,  solving  all  other  equations  by  successively  instantiating 
existential  variables  until  it  arrives  in  state 


Tjarssa;}. 

What  is  the  matching  algorithm  trying  next?  Obviously  this  state  is  not  in  solved  form  because 
the  constraint  list  not  empty.  In  order  to  solve  it,  the  algorithm  attempts  to  solve 

x  «  a?{T } 

and  certainly  it  succeeds  by  mglobal.  Finally,  as  expected,  by  msuccess  we  deduce  that  the 
original  matching  problem  is  solvable. 

Clearly,  in  the  general  case,  the  matching  algorithm  cannot  be  complete.  This  hinges  on  the 
fact,  that  in  the  second  pass,  when  the  matching  algorithm  attempts  to  solve  the  constraints,  new 
constraints  might  arise.  Even  though  in  theory  possible,  this  situation  does  not  come  up  in  any  of 
our  examples  and  experiments.  There  are  at  least  two  ways  to  rectify  this  incompleteness.  First, 
one  could  try  to  generalize  the  matching  algorithm  to  a  bigger  set  of  matching  problems,  but 
the  reader  should  be  warned  that  this  is  not  a  simple  endeavor:  higher-order  matching  problems 
only  up  to  third  order  are  known  to  be  decidable  [Dow92].  Second,  one  can  restrict  the  set  of 
matching  problems.  On  the  one  hand  by  only  considering  problems  from  the  pattern  fragment 
is  too  restrictive  as  we  have  seen  in  this  section.  Higher-order  encodings  typically  fall  out  of 
this  fragment.  On  the  other  hand,  the  strict  fragment  of  matching  problems  that  we  discuss  in 
the  following  section  accommodates  significantly  more  and  for  our  purposes  sufficiently  enough 
matching  problems.  Below  we  characterize  this  strict  fragment  and  show  that  the  matching 
algorithm  restricted  to  this  fragment  is  decidable,  sound,  and  complete.  Unification  on  the 
other  hand  might  not  be  decidable  any  more. 
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6.4.3  Strictness 

How  can  we  restrict  the  set  of  matching  problems  in  order  to  make  the  matching  algorithm  from 
Section  6.4.2  complete?  Recall  that  the  algorithm  proceeds  in  two  phases.  In  the  first  phase  it 
tries  to  solve  all  immediate  goals  and  it  postpones  all  non-pattern  goals  as  constraints.  In  the 
second  phase  it  then  attempts  to  solve  those  constraints  one  after  the  other. 

In  the  first  phase  existential  variables  are  instantiated  by  the  m pat-rule.  One  of  its  precon¬ 
ditions  is  that  the  variable  is  the  head  of  a  pattern.  Its  spine  must  be  a  list  of  pairwise  different 
local  parameters.  In  order  to  simplify  this  presentation  we  introduce  an  abbreviation  for  pattern 
spines  and  write  V  b  S  pattern.  If  the  existential  variable  does  not  occur  in  fol*m  of  a  pattern, 
the  matching  goal  is  postponed  as  a  constraint  by  the  m nopat-rule. 

On  which  problems  is  the  matching  algorithm  incomplete?  The  answer  is  easy.  There 
is  absolutely  no  guarantee  that  the  second  phase  does  not  introduce  new  constraints  whose 
solution  would  require  a  third  pass.  Likewise  a  fourth  or  fifth  pass  might  be  necessary  in  order 
to  resolve  all  constraints.  Some  constraints  can  never  be  resolved. 

One  way  to  avoid  multiple  (more  than  two)  runs  of  the  algorithm  is  to  impose  restrictions 
on  the  matching  problems  to  be  considered.  Miller  for  example  has  established  the  pattern 
restriction  on  unification  problems,  which  guarantees  decidability  of  pattern  matching  and  pat¬ 
tern  unification  by  enforcing  that  constraints  can  never  occur.  Therefore  only  one  pass  of  the 
matching  algorithm  is  necessary.  In  this  work,  we  relax  the  pattern  restriction  to  strictness , 
where  we  allow  constraints  to  occur,  but  we  require  that  after  the  first  pass  of  the  matching 
algorithm  all  existential  variables  are  instantiated,  which  in  turn  means  that  after  the  first  pass 
is  completed  all  constraints  are  ground  as  the  example  in  the  previous  section  shows. 

For  the  pattern  fragment,  it  is  required  that  every  occurrence  of  every  existential  variable 
occurs  as  the  head  of  a  pattern.  For  the  strict  fragment,  we  only  require,  that  there  is  at  least 
one  occurrence  of  every  existential  variable  which  occurs  as  the  head  of  a  pattern.  Note  that 
this  is  a  dramatic  generalization  of  the  pattern  fragment.  Intuitively  matching  against  this  one 
occurrence  is  guaranteed  to  succeed  and,  as  a  side  effect,  all  other  occurrences  of  the  same 
variable  are  instantiated  thus  removing  all  non-pattern  occurrences  of  the  same  variable  by  the 
reduction  rules  defined  for  LF. 

The  idea  behind  the  strictness  restriction  is  hence  as  follows:  Consider  a  case  (4//  >  ?/;  P) 
in  a  list  of  cases  ft.  We  say  that  i/)  is  strict  in  4/',  if  every  variable  x  :  A  occurs  as  a  pattern  some 
place  in  i/j.  Moreover  to  identify  variable  blocks,  at  least  one  parameter  x  :  A  of  every  (pL)  E  T' 
must  also  occur  as  pattern  somewhere  in  ?/>•  Note,  that  generalized  substitutions  only  allow 
variable  blocks  to  be  replaced  by  variable  blocks,  and  therefore  one  strict  parameter  occurrence 
of  an  entire  parameter  block  already  signifies  a  match  of  the  others. 

Informally  a  proof  of  strictness  of  ?/;  exposes  the  path  from  the  root  of  a  term  to  a  strict 
occurrence  of  each  variable  in  4/'.  This  path  leads  through  the  substitution  t/b  possibly  through 
LF-objects,  LF-types,  and  very  likely  through  LF-spines.  By  following  this  path  one  eventually 
arrives  at  a  variable  occurrence  which  is  guaranteed  to  satisfy  the  side  condition  of  the  m pat-rule. 

Example  6.26  (Strict  variable  occurrences)  Consider  the  two  substitutions  from  Exam¬ 
ple  5.16,  V;i  and  ^2-  The  grey  backgrounds  behind  the  variables  denote  strict  occurrences.  In 
addition,  there  are  strict  occurrences  of  other  variables  which  occur  implicitly  in  A-binders  or  in 
omitted  arguments  which  we  do  not  show  here. 

ipi  =  W/T,  W/E,  W/El,  g  /Dl,  W  /Dr 
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^  =  E  /T ,  (app  (lam  §g  )  jj|  )/£,  (Ex  E2)/El  ,Er-/Er ,  (pbeta  Z>(  : J|:  )/£>', ®/T»r 
In  general  there  is  no  unique  proof  that  a  substitution  0  is  strict  in  its  co-domain. 

The  main  consequences  of  the  strictness  restriction  are  that  pattern-matching  is  sound, 
complete,  decidable,  and  yields  sound  solutions.  That  is,  for  the  strict  fragment  of  matching 
problems  we  can  indeed  guarantee  that  side  condition  (5.3)  is  satisfied. 

For  all  rj  (4>  F  rj  £  4/)  there  exists  a  unique  rf  (4>  F  rf  £  4/')  s.t.  77  =  0  o  r/ 

Section  6.4.4  and  Section  6.4.5  prepare  the  proof  of  this  result  which  is  summarized  in  Theo¬ 
rem  6.36.  We  begin  now  with  the  formal  presentation  of  the  strictness  criterion. 

On  the  top-level  we  write  strict  in  order  to  express  that  0  is  strict  in  4>  as  described 

above.  Top-level  strictness  is  expressed  in  terms  of  substitution-level  strictness  for  which  we 
require  that  a  variable  x  occurs  in  a  strict  position  in  0.  It  is  expressed  by  the  judgment 
\~x  0  strict. 

The  three  judgments  defining  strict  variable  occurrences  in  objects,  types,  and  spines  are 
mutually  recursive.  Their  definition  is  very  similar  to  [PS99a].  Each  of  the  judgments  is  defined 
relative  to  a  context  of  local  parameters  T.  We  write  T  \-x  M  strict,  T  \-x  A  strict,  and  T  \~x 
S  strict  for  the  strict  occurrence  of  a  variable  x  in  M,  A ,  and  S ,  respectively. 


Judgment 


Top-level  strictness: 
Substitution-level  strictness: 
Generalized  context  strictness: 
LF-level  strictness  for  objects 
LF-level  strictness  for  types 
LF-level  strictness  for  spines 


4/i  F  (4/ 2  >  0)  strict 
\-x  -0  strict 
\-x  4/  strict 
r  \~x  M  strict 
r  \~x  A  strict 
r  \~x  S  strict 


Rules  The  top-level  strictness  judgment  iterates  through  all  declarations  in  4>,  and  guarantees 
that  each  assumption  variable  occurs  in  a  strict  position  in  0  (stass),  and  at  least  one  parameter 
declaration  of  every  variable  block  also  has  a  strict  occurrence  (stblock).  stdone  is  the  base  case 
of  the  iteration. 

- stdone 

•  h  (4>  >  0)  strict 


h  (x  :  A,  4/2  >  0)  strict  \~x  0  strict 

- -  stass 

4>i,  x  :  A  b  (4>2  >  0)  strict 

4>i  F  (x  :  A,  4>2  >  0)  strict  Fx  4>2  strict 

- - - - - - - - - stass' 

4>i,  x  :  A  F  (4>2  >  0)  strict 

(x  :  A)  G  p  F  (pL,  4>2  >  0)  strict  hx  0  strict 

- - - stblock 

Ti F  (4/2  >  0)  strict 

(x:  A)  £  p  F  (pL,  ^2  >  0)  strict  F^  T2  strict 

- - stblock' 

$1,/  F  (^2  >  0)  strict 


169 


170 


6.4.  MATCHING 


Each  deduction  of  the  remaining  four  judgments  witnesses  a  strict  occurrence  of  a  variable  x 
indexing  the  judgment,  x  occurs  in  a  strict  position  in  a  substitution  if  it  either  occurs  in  a 
declaration  of  the  form  M/x  (stsubassyes)  or  p*  /  p  (stsubblockyes). 


•  )rx  M  strict 

- stsubassyes 

hx  M/y  strict 

(x:  A)  e  pf 

- stsubblockyes 

b Xxj),pf/p  strict 


\-x  )  strict 

- ; —  stsubassno 

\~x  M/y  strict 


hj.  strict 

- stsubblockno 

\-x  xf),p' /p  strict, 


x  occurs  in  a  strict  position  in  a  generalized  context  if  it  occurs  in  the  type  of  some  declaration. 


•  \-x  A  strict 

- - - stctxassyes 

\~x  T,  y  :  A  strict 


br  4'  strict 

- : - - —  stctxassno 

bx  4/,  y  :  A  strict 


(x:  A)  e  p  •  b3:  A  strict 

- stctxblockyes 

\-x  4',  pL  strict 


Kr  T  strict 

- stctxblockno 

\~x  4',  pL  strict 


The  inference  rules  defining  the  remaining  three  judgments  are  all  mutual  recursive,  x  is  a 
strict  occurrence  in  an  object,  if  it  is  either  the  head  of  a  pattern  (stocc)  or  if  it  occurs  in  the 
spine  as  argument  to  a  constant  (stconst)  or  to  a  local  parameter  (stlocal).  As  expected,  x  is 
a  strict  occurrence  in  a  A-term,  if  it  occurs  strictly  in  either  the  binder  (stlamdec)  or  the  body 
(stlambody). 


- stocc  Side  condition:  V  h  S  pattern 

T  \~x  x  •  S  strict 


T  \-x  S  strict 
F  \~x  c  •  S  strict 


stconst 


T  \~x  A  strict 
T  hx  Xy  :  A.  M  strict 


stlamdec 


y  :  A  G  T  T  hx  S  strict 
T  bT  y  •  S  strict 
T,  y  :  A  hx  M  strict 
T  hr  A y  :  A.  M  strict 


stlocal 


stlambody 


On  the  type  level,  a  variable  x  occurs  strictly  in  an  atomic  type  if  it  occurs  in  any  of  its  arguments 
(stfam).  Likewise  it  occurs  strictly  in  a  n-type,  if  it  either  occurs  strictly  in  its  binder  (stpidec) 
or  its  body  (stlambody). 


T  \~x  S  strict 

- stfam 

r  b x  a  -  S  strict 

T  bx  A\  strict  T,  y  :  A\  \~x  A 2  strict 

- stpidec  - stlambody 

T  b^  Uy  :  A\ .  A‘2  strict  T  bx  Yly  :  A\ .  A2  strict 


Finally,  a  variable  x  occurs  strictly  in  a  spine,  if  it  occurs  strictly  in  at  least  one  of  its  arguments 
(stthis). 


r  b x  M  strict 
r  b x  M]S  strict 


stthis 


F  bT  S  strict 

- stnext 

F  b x  M;S  strict 
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One  of  the  main  results  of  this  section  is  that  if  we  require  the  ip  in  the  alt-rule  from 
Section  5.6  to  be  strict  in  its  co-domain  then  it  automatically  satisfies  side  condition  (5.3).  The 
argumentation  rests  on  the  observation  that  any  matching  problem  of  a  strict  ip  against  a  ground 
r]  (which  as  usual  might  be  open  with  respect  to  a  well  formed  parameter  context  4>)  is  decidable. 

In  the  remainder  of  this  section  we  give  a  detailed  account  of  this  argument,  but  first  we 
have  to  generalize  strictness  to  matching  problems.  Informally,  strictness  is  also  a  property  of 
a  state  formula  which  is  preserved  during  execution  as  we  show  in  Section  6.4.5.  We  say,  that 
a  matching  problem  $  >  34*.  U\  {TV}  is  strict  iff  U\  is  strict  in  4*  which  we  denote  with  the 
judgment  4*  h  U\  strict. 


Judgments 


Top-level  strictness  for  universal  formulas:  'I1 1  h  (4*2  >  U)  strict 
Universal  formula-level  strictness:  hx.  U  strict 


Rules  The  top-level  judgment  serves  as  iterator,  iterating  through  all  assumption  variables 
(ustass)  and  variable  blocks  (ustblock)  in  4'  and  ensuring  that  each  declaration  has  at  least  one 
strict  occurrence  in  any  of  the  left-hand  sides  of  one  of  the  possibly  many  equations  in  U.  Recall 
that  the  left  hand  sides  of  any  equation  ip  ~  q  or  M\  ~  M2  in  U  may  contain  free  existential 
variables  still  to  be  matched  whereas  the  right  hand  sides  are  ground. 


- ustdone 

•  h  (4*2  >  U)  strict 

4*i  b  {x  :  A,  4*2  >  U)  strict  bx  U  strict 
4*1,  a;  :  A  h  (4/2  >  U)  strict 
h  (x  :  A,  4*2  >  U)  strict  \-x  4/2  strict 


ustass 


- —  ustass' 

4*1,3: :  A  h  (4*2  >  U)  strict 

(x:  A)  €  p  4*i  h  ( pL ,  4*2  >  U )  strict  Hx  U  strict 
4*i,  pL  H  (4*2  >  U)  strict 


ustblock 


(x:  A)  6  p  4*i  h  ( pL ,  4*2  >  U )  strict  hx  ^2  strict 


I  /  ,T r 


1 


The  second  strictness  judgment  for  universal  state  formulas  is  indexed  by  a  variable  x.  It  is 
derivable  if  x  occurs  in  a  strict  position  in  any  of  the  left  hand  sides  of  the  equations  contained 
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in  U. 


bx  ip  strict, 

- ustsubl 

|-x  t/;  ~  V  A  U  strict, 

T  bx  Mi  strict 

- - - - - ustobjl 

bx  (VT.  Mi  «  M2)  A  U  strict 

T  hx  A 1  strict 

- usttypel 

hx  (VT.  A\  A2)  A  U  strict 

T  hx  S\  strict 

- ustspinel 

l-x  (VT.  S 1  ~  52)  A  U  strict 


hx  U  strict, 

- ustsubr 

Ip  7/  A  U  strict 

\-x  U  strict 

- - - ustobjr 

bT  (vr.  M]  ^  M2)  A  U  strict 

\-x  U  strict 

- - - usttyper 

\-x  (VT.  A\  &  A2)  f\U  strict 

\-x  U  strict 

- : - ustspiner 

bx  (VT.  Si  «  S2)  A  U  strict 


The  generalization  of  the  strictness  predicate  to  state  formulas  is  straightforward.  Moreover, 
no  additional  information  is  involved  in  this  construction.  In  particular,  we  show  that  the  initial 
state  <E>  >  3T.  (t/>  ^  rj)  constructed  from  a  strict  t/;  is  also  strict  in  Thus  if  a  case  proof  term 
in  M2  satisfies  the  side  condition  (5.3),  the  initial  state  of  the  matching  process  is  also  strict. 


Lemma  6.27 

If  V  ::  Vi/'  h  'ip  strict 

and  $  h  rj  6  T' 

then  b  «  77  A  True) 

Proof:  by  induction  on  P.  □ 


In  Section  6.4.5  we  show  as  part  of  the  completeness  argument  that  strictness  is  preserved 
throughout  the  run  of  the  matching  algorithm.  The  main  result  of  this  section  is  that  strict 
matching  problems  are  decidable  with  the  matching  algorithm  from  Section  6.4.2  being  the 
decision  procedure.  It  is  this  observation  which  justifies  the  choice  of  strictness  to  warrant  side 
condition  (5.3). 


6.4.4  Soundness 

The  matching  algorithm  is  a  sound  procedure  for  all  strict  matching  problems.  As  a  matter  of 
fact,  the  result  is  more  general.  It  applies  also  to  matching  problems  which  are  not  necessarily 
strict.  Given  a  successful  trace  of  the  matching  algorithm,  the  deduction  of  b  T  matchable 
contains  enough  information  to  extract  the  desired  matching  substitution. 

Recall  that  the  matching  algorithm  proceeds  in  two  phases.  Informally,  the  first  phase  starts 
with  the  matching  problem  «  7/  and  terminates  in  a  state  T{[/},  where  U  is  a  list  (or  better 
conjunction)  of  all  constraints  postponed  during  the  run.  In  the  second  phase  the  algorithm 
solves  all  constraints  until  it  reaches  T{T}  as  final  state.  In  order  to  show  soundness  we  extract 
from  these  two  traces  the  matching  substitution  7/,  which  satisfies  xj)  o  7/  =  rj. 

The  soundness  argument  is  presented  in  three  steps.  First,  we  show  that  if  the  matching 
algorithm  makes  one  step  from  state  T\  to  state  T2,  any  matching  substitution  7/2  for  T2  can  be 
extended  in  a  unique  way  to  a  matching  substitution  for  T\ .  Clearly,  by  applying  this  argument 
successively,  we  can  generalize  this  result  to  T\  and  T2  being  several  steps  apart. 
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Lemma  6.28  (Solution  preservation) 

L\:If$>3V.Ui{U2}  =>  >3V'.U'1{U£ 

and  rf  h  rj  E  '&' )  is  a  solution  of  34/'.  U[{U2} 

then  there  exists  a  unique  rj  (4>  h  rj  E  which  is  a  solution  of  34/.  C7i {C/2} 

IfV::<S>>3^.Ul{U2}  $  t>  3 

and  rf  (<&  h  rf  €  4/ ' )  is  a  solution  of  34/'.  U[{U!2} 

then  there  exists  a  unique  rj  (<&  h  rj  G  4/j  which  is  a  solution  of  34/.  Ui{U2} 

Proof:  1.  direct  by  inspection  of  the  rules,  and  2.  by  induction  on  V .  □ 

In  order  to  apply  the  local  soundness  lemma,  we  must  know,  that  there  exists  a  matching 
substitution  for  the  termination  state  T{T}.  And  indeed,  not  very  surprisingly,  there  is  one 
namely  the  empty  substitution. 

Lemma  6.29  (Initial  soundness) 

The  substitution  *  is  a  trivial  solution  o/T{T}. 

Proof:  follows  directly  from  Definition  6.25.  □ 

From  the  two  traces  of  the  matching  algorithm  we  construct  a  solution  of  the  original  matching 
problem  in  the  following  way.  Starting  with  the  second  trace,  and  the  lemma  about  initial 
soundness,  there  must  be  a  solution  of  T{J7}  by  the  local  soundness  lemma.  By  definition 
this  solution  is  also  a  solution  for  C/{T}.  Another  application  of  the  local  soundness  lemma 
immediately  results  in  a  matching  substitution  for  the  original  matching  problem. 

Lemma  6.30  (Soundness) 

If  V  ::  h  $  >  3\I>'.  'ip  «  r?{ T }  matchable 

then  there  exists  a  unique  rj1 ,  $  h  rf  G  ^  and  ip  07/  =  rj 

Proof:  direct  by  Lemma  6.29  and  Lemma  6.28.  A  detailed  proof  can  be  found  in  Appendix  B.2. 

□ 


In  summary,  it  follows  that  the  matching  algorithm  is  sound  by  extracting  the  matching 
substitution  from  the  trace  in  a  right  to  left  fashion.  The  completeness  result  of  the  matching 
algorithm  for  strict  matching  problems  is  discussed  next. 

6.4.5  Completeness 

The  matching  algorithm  from  Section  6.4.2  is  sound  for  strict  matching  problems  as  shown  in  the 
previous  section.  Whenever  the  algorithm  terminates  and  reports  yes,  there  is  indeed  a  solution 
for  the  initially  posed  matching  problem.  In  this  section  we  show,  that  we  can  also  trust  the 
answers  of  the  matching  algorithm.  In  particular,  given  a  solvable  problem,  the  algorithm  will 
terminate  and  report  yes.  Moreover,  we  show  that  the  matching  algorithm  always  terminates, 
which  makes  it  an  appropriate  decision  procedure. 

We  begin  this  technical  discussion  with  the  definition  of  a  particular  well-founded  ordering, 
which  guarantees  that  the  matching  algorithm  always  terminates.  A  state  of  the  matching 
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algorithm  is  formally  defined  as  4>  t>  34b  U\  { U2}  for  two  universal  state  formulas  U\  and  U2-  As 
the  matching  algorithm  progresses,  it  either  instantiates  variables  of  4',  or  it  decomposes  the 
left  hand  side  of  some  equation  in  U\ .  As  usual,  we  write  |4'|  for  the  length  of  4'  and  we  define 
\U\  \  as  the  sum  of  all  LF-subobjects  of  all  left  hand  sides  of  equations  in  U\  where  we  count  |m | 
as  1+  the  number  of  all  LF  subobjects  of  all  types  of  that  p  the  parameter  variable  x  is  defined 
in.  Clearly,  0  <  |4'|  and  0  <  |t/j|. 

As  termination  ordering  for  the  matching  algorithm,  we  choose  the  lexicographic  ordering- 
on  pairs  of  non- negative  integer  numbers  (|4'|,  |17i|).  Recall,  that  the  lexicographic  ordering  is 
defined  as  follows. 

<icx  (n2, m2)  iff  n\  <  n 2  or  (nj  =  n2  and  w\  <  in 2) 

The  measure  of  a  state  4>t>34'.  U\  { U2 }  is  defined  to  be  the  pair  (|4'|,  \Ui  |).  Back  to  the  complete¬ 
ness  argument.  It  hinges  on  the  fact,  that  there  is  a  transition  for  every  state  whose  measure  is 
different  from  (n,  0).  The  algorithm  terminates  if  U\  =  T  or  —  in  measures  —  if  \U\  \  —  0.  Can 
4>  still  contain  existential  variable  declarations  once  the  matching  algorithm  conies  to  a  halt 
with  V \  —  T?  The  answer  is  no,  and  the  reason  is  deeply  connected  with  the  strictness  require¬ 
ment.  If  we  can  guarantee  (and  we  can!)  that  strictness  is  preserved  during  the  execution  of  the 
algorithm,  the  final  state  4>  >  34' .  T { U2 }  must  still  be  strict,  and  it  hence  follows  by  inversion 
that  4>  =  •.  If  4/  is  not  empty,  there  must  lie  at  least  one  strict  occurrence  of  in  variable  in  T 
which  cannot  be  the  case.  As  invariant,  we  infer  that  each  strict  state  satisfies  1 4'  |  <  |  [/)  | . 

Therefore,  and  because  the  ordering  is  well-founded  the  algorithm  terminates  in  a  state  whose 
measure  is  equal  to  (0,0)  or  it  reports  failure.  Which  state  can  this  be?  It  must  be  4>  t>  T { U2 } 
for  any  33. 

Lemma  6.31  (Measure) 

1.  IfT  =  4>  >  34'.  U\  {U2} 
and  T> ::  4/  h  U\  strict, 
then  1 4' |  <  \U\\ 

2.  If  T  =  4>  r>  34'.  U\{U‘i}  is  given 
and  J 4^  j  =0  and  \U\  \  =  0 
then  T  =  $  >  T {U2} 

Proof:  1.  by  induction  on  T>,  2.  by  definition  of  \U\.  Every  other  syntactical  construction  for 
U  has  at  least  one  LF  subobject.  □ 

We  start  now  with  the  discussion  of  the  completeness  proof  itself.  It  is  split  into  two  parts 
according  to  the  two  phases  of  the  matching  algorithm.  Assume,  that  the  there  is  a  solution 
for  the  initial  state  T.  First  we  prove,  that  if  T  7^  4>  o  T {U-2}  then  the  matching  algorithm  can 
perform  another  step.  In  particular,  this  step  preserves  strictness  and  it  reduces  the  measure  of 
a  state.  A  slight  generalization  reveals,  that  when  running  it  on  any  strict  and  solvable  initial 
state,  the  matching  algorithm  eventually  terminates  in  4>t>T{f/}  for  some  U.  All  existential 
variables  are  instantiated,  and  therefore  U  must  be  ground  (with  respect  to  4>,  naturally). 

Lemma  6.32  (Completeness  I) 
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1.  Iflh^T 

and  >  3\&.  is  given 

and  rj  (<&  \~  7]  £  ^ )  is  a  solution  of  3^ ,U\{U2} 

and  \I/  h  U\  strict 

then  §>3^.Ul{U2}  ==►  $  >  39'.  U[{U'2] 

and  there  exists  an  rj'  (<&  \~  g'  6  'S' )  which  is  a  solution  of  3'S' .U^lU^} 
and  S'  h  U[  strict 

and  (inro  <ieA\n\ui\). 

2.  If  T  ~  -Ui{U2}  is  given 

and  ^  \~  U\  strict 

thenT  t>  T {U}  for  some  U. 

Proof:  1.  by  inspection  of  the  rules,  2.  by  induction  on  (|T|,  \Ui\)  using  Lemma  6.31.  A  detailed 
proof  can  be  found  in  Appendix  B.2.  □ 

In  the  second  phase,  we  start  the  matching  algorithm  on  <3>>£/{T},  where  the  U  is  the  list  of 
constraints  resulting  from  the  first  phase.  As  already  noted,  U  is  ground,  i.e.  it  does  not  contain 
any  free  existential  variables.  Informally,  U  is  nothing  else  but  a  set  of  equations  to  be  checked 
for  convertibility. 

How  can  we  convince  ourselves  that  the  algorithm  terminates  in  T {T }?  First,  note  that  some 
of  the  rules  defining  the  matching  algorithm  can  never  apply,  mpat  and  m nopat  for  example  can 
never  be  applied  because  there  are  no  existential  variables.  Therefore,  the  set  of  constraints  never 
changes  and  thus  it  is  remains  empty  (=  T)  during  the  entire  second  phase.  That  U  eventually 
ends  up  being  empty,  too,  follows  by  the  same  argument  used  for  the  first  completeness  lemma. 

Lemma  6.33  (Completeness  II) 

1 .  IfU*  T 

and  $  >  U{T}  is  given 

and  ♦  ($>  b  *  €  •)  is  a  trivial  solution  for  U{ T} 
then<$>>U{ T}  =>  <£>i>Uf{ T} 
and  ♦  ($  b  •  G  •)  is  a  trivial  solution  for  Uf{ T} 
and  \Uf\  <  \U\. 

2.  If  T  =  $>U{  T}  is  given  matching  state 

then  4>>£/{T}  $>T{T} 

Proof:  1.  by  inspection  of  the  rules,  2.  by  induction  on  \U\  using  Lemma  6.31.  A  detailed  proof 
can  be  found  in  Appendix  B.2.  □ 

An  easy  combination  of  these  two  previous  results  yields  the  completeness  lemma.  If  a  strict 
matching  problem  has  a  solution,  the  matching  algorithm  eventually  terminates  and  reports  yes. 

Theorem  6.34  (Completeness) 

IfT  =  ^>^.Ux{U2} 
and  V  ::  T  b  U\  strict 

and  T)  ($  b  7]  G  ty)  is  a  solution  of  3\I/.  U\{U2} 
then  b  T  matchable 
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Proof:  direct  A  detailed  proof  can  be  found  in  Appendix  B.2.  □ 

As  a  side  result  of  the  completeness  argument  follows  the  termination  property  of  the  match¬ 
ing  algorithm.  Each  run  terminates,  because  the  measure  of  the  successive  states  strictly  de¬ 
creases.  Since  the  termination  ordering  is  well-founded,  the  matching  algorithm  must  come  to 
a  final  state.  If  it  is  T{T}  it  reports  yes ,  if  not  it  reports  no. 

Corollary  6.35  (Termination) 

Any  sequence  of  ==>  -reduction  steps  is  finite. 

In  summary  we  have  shown  that  matching  is  sound,  complete,  and  decidable,  provided  that 
the  matching  problem  is  strict.  The  solution  that  matching  computes  is  unique.  Therefore  side 
condition  (5.3)  follows  if  we  require  the  case  defining  from  rule  alt  to  be  strict. 

Theorem  6.36  (Determinacy) 

and  £  ::  \~  xjj  strict 

and  T  ::  $  h  rj  G  ^ 

then  there  exists  a  (unique)  rf  (4>  h  rf  G  ^f)  s.t .  V;  0  rf  =  rj 
or  not. 


Proof:  direct.  A  detailed  proof  can  be  found  in  Appendix  B.2.  □ 

In  conclusion,  we  stipulate 

h  strict 

as  syntactic  criterion  for  side  condition  (5.3). 


6.4.6  Results 

The  main  difficulty  in  designing  a  matching  algorithm  for  lies  in  the  fact  that  in  general 
matching  for  LF  is  not  known  to  be  decidable.  It  is  only  known  to  be  decidable  on  fragments, 
as  for  example  the  pattern  fragment  defined  by  Miller.  But  unfortunately,  this  fragment  is  too 
weak  for  our  purposes.  Already  the  matching  problems  associated  with  our  examples  lie  outside 
the  pattern  fragment. 

As  solution  to  this  problem  we  characterize  an  extension  of  the  pattern  fragment  which 
we  call  the  strict  fragment.  The  main  result  is,  that  strict  matching  problems  are  decidable 
and  yield  unique  matching  substitutions.  The  matching  algorithm  defined  in  this  section  is  the 
appropriate  decision  procedure.  Strict  unification  problems  for  the  strict  fragment  on  the  other 
hand  might  not  be  decidable.  We  leave  a  further  investigation  to  future  research. 


6.5  Big-Step  Semantics 

There  are  several  ways  to  show  the  consistency  of  a  logic.  As  already  motivated  earlier  the  way 
we  have  chosen  to  show  the  consistency  of  is  to  assign  an  operational  meaning  to  its  proof 
terms  and  to  show  that  each  proof  term  corresponds  to  a  total  function  —  a  realizer.  In  this 
section,  we  define  such  an  operational  semantics.  In  particular,  it  is  a  big-step  semantics  which 
we  refine  in  the  next  chapter  to  a  small-step  semantics.  Why  defining  two  different  semantics? 
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The  big-step  semantics  is  only  relates  proof  terms  with  the  result  of  their  computations,  it  is 
easier  to  describe,  and  therefore  it  is  more  accessible  than  the  small-step  semantics.  Nevertheless, 
for  the  soundness  proof  of  we  need  the  small-step  semantics.  If  a  proof  term  cannot  be 
related  to  any  result  of  a  computation,  be  it  because  the  function  does  not  terminate,  or  because 
its  evaluation  gets  stuck,  the  big-step  operational  semantics  is  not  fine-grained  enough  to  support 
any  further  investigation.  Based  on  a  state  transition  machine  very  similar  to  the  CPM  machine 
[PfeOO],  the  small-step  semantics  on  the  other  hand  allows  us  to  express  properties  such  as 
termination  and  progress.  We  leave  this  discussion  entirely  to  the  next  chapter. 

The  operational  semantics  assigns  a  computational  interpretation  to  the  proof  terms  of  the 
meta- logic  Any  proof  of  any  theorem  can  calculate  from  any  well- typed  input  (a  set  of 

objects  instantiating  the  universal  quantified  variables)  a  well-typed  output  (a  set  of  objects 
which  witness  the  existential  quantifiers).  The  input  and  the  output  arguments  are  possibly 
open  with  respect  to  a  given  regular  world  extension  <£.  Therefore  we  index  the  evaluation 
judgment  by  4>. 

The  operational  semantics  itself  is  defined  with  respect  to  three  different  judgments,  one  for 
proof  terms  P,  one  for  declarations  D,  and  a  last  one  for  cases  Proof  terms  are  evaluated 
via  the  judgment  4>  I -  P  V,  where  we  denote  the  outcome  of  the  evaluation  by  V.  V  is  a 
proof  term  itself,  but  in  addition  it  is  a  value  which  cannot  be  evaluated  any  further.  Values  are 
potentially  open  with  respect  to  the  regular  world  extension. 

Values  V  ()  |  (M,  V)  \  Ax  :  A  P  \  \pL.  P  \  (Vu  V2) 

Declarations  declare  extensions  of  meta  contexts  A  in  which  they  are  defined.  Recall 
from  rule  sel,  that  these  context  extensions  are  denoted  by  A'.  The  attentive  reader  might 
already  suspect,  that  the  result  of  evaluating  a  list  of  declarations,  results  in  a  list  of  LF  objects 
for  4/'  and  proof  terms  for  A'.  The  vehicle  we  like  to  use  in  order  to  express  these  resulting 
terms  are  substitution  extensions  denoted  by  (ip\  5 ).  Formally,  we  write  $  h  D  ^  (ip;  6)  for  the 
evaluation  relation  of  declarations.  Finally,  we  need  to  evaluate  cases.  A  case  in  fi  is  triggered  if 
it  matches  the  current  “environment”  —  the  explicit  substitution  as  case  subject  —  ip;  5  using 
the  matching  algorithm  defined  in  Section  6.4.2.  Case  analysis  is  expressed  by  the  judgment 
\~  (ip;  5)  ~  Q  ^  V .  And  again  V  denotes  a  proof  term. 

Judgments 

Evaluation  of  programs  h  P  4  V 

Evaluation  of  declarations  h  D  rj\5 

Selection  <3>  b  (ip;  S)  ~  ft  e->  V 

Rules  Evaluation,  assumption  and  selection  obey  the  laws  of  a  call-by- value  semantics.  The 
only  non-standard  rules  are  evJet  and  ev_case.  evJet  evaluates  first  the  list  of  declarations 
and  obtains  a  meta-substitution  extension  ip ;  <5,  which  is  in  turn  applied  to  the  body  of  the  let 
construct.  The  ev_case  rule  selects  a  matching  case  by  invoking  selection. 

- ev_Lam  - ; - : — evJam 

$  h  Ax  :  A.  P  <-*  Ax  :  A.  P  $  h  A pL.  P  A pL.  P 

$  h  P^V  $  h  Pi  ^  Vi  $\-  P2^V2 

- evJnx  - ev_pair  - ev_unit 

$  h  <M,P)  (M,V)  $  h  (Pi,P2)  ^  {VUV2)  $  h  ()  () 
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4>  h  D  ifr,6  $  I-  P[id<}>,  tj)\  J]  <-4  V 

- ev  Jet 

$  h  let  D  in  P  M-  P 


4>  h  P[/ax  6  F.  P/x]  *-4  V  $\-{ilr,6)~n^V 

- ev_rec  - ev_case 

//xGP.P-4P  $  Pease  {i/r,6)  of  ft -4  V 

The  evaluation  rules  for  declarations  return  meta-substitution  extensions  The  for¬ 

mulation  of  these  rules  is  are  non-standard  since  they  follow  the  provability  rules  of  ATj  in 
Section  5.4.4.  The  definition  of  ev_new  uses  meta-substitution  abstraction  as  defined  in  Sec¬ 
tion  6.6. 

- ev_empty 

$  l- •->(•;•) 


<F  h  P  -4  (M,  V)  4»  h  Z)[id<j>,  AT/*;  V/y]  «-»■  (y/:  (5') 

- ev_split 

$  h  ({.7:  :  A,y  e  F)  —  P.  D)  ^  (M/x,  i//;  V/y ,  S') 


A./: :  A. P'  4>  h  P' [id*.  M/x]  V  I-  P[P/y]  «-»■  (y/; S') 

<F  b  (y  €  F  =  P  M.  D)  -4  (V/;  P/y,  S') 


ev_App 


$  h  p  -4  Ap'L.  P'  $  h  P'[id*, p/p']  -4  P  $  b  £>[P/y]  ^  WA  S') 
$  h(y  6  F  =  Pp.  0)^(1//;  V/y  J') 

$,PL  hJ)4  (y/;<S') 
- ev_new 

I//.D  -4  (ApL.(V/;<5')) 

4>  h  P  m-  (Pi ,  P2)  $  h  P[Pi /x]  -4  (V/;  5') 

- ev_fst 

$  h  x  G  Pi  =  7Ti  P,  £>  -4  (V/;  Pi/x,  S') 


$  b  P  <-4  (Pi, P2>  $  b  P[P2/x]  -4  (V/; S') 

■ - ev_snd 

$  b  (x  e  P2  =  tt2  P,  P)  -4  (y/;  p2/x,  4') 

Finally,  there  are  two  rules  defining  the  selection  of  cases.  Because  of  Theorem  6.36  it 
is  always  decidable  if  a  case  in  ft  applies,  and  in  addition  the  new  environment  is  effectively 
computable  by  the  matching  algorithm  presented  in  Section  6.4.2.  The  situation  when  a  case 
matches  is  expressed  by  rule  ev_yes.  If  it  does  not  match,  ev_no  tries  the  next  case.  Note,  that 
there  is  no  rule  for  ft  =  •.  If  this  case  is  encountered,  it  follows  that  the  function  currently 
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executed  is  not  a  realizer  because  the  evaluation  would  terminate  without  returning  a  value.  A 
careful  study  why  such  a  situation  cannot  occur  will  be  the  focus  of  the  next  chapter. 


$  b  P[ip";  8}^V 

-  ev.yes 

$b(^;$)~(fi,(¥>^i-»P))«^V 

if  there  exists  a  ip"  s.t.  (ip';i  dA)  °  (ip"]  8)  =  (ip]  6) 


$  b  (ip]  5)  ~  Q  ^  V 

-  ev_no 

<$•  b  (ip;  8)  ~  (fi,  (tf  >  ip'  n.  P))  <->.  V 

if  there  is  no  ip"  s.t.  (^';  Ma)  o  (■*/>";  §)  —  (ip;  8) 

The  operational  semantics  is  type  preserving.  Specifically,  its  proof  relies  on  a  technical  but 
easy  to  prove  lemma  which  we  have  dubbed  context  lemma. 

Lemma  6.37  (Context) 

1.  //X>  ::  <E>;  •  b  id<$>,ip;  8  £  M/x]^>;  [id®,  M/x,  idy] A 

and  £::[$]  b  M  :  A 
and  V  ::  <f>:  •  b  V  €  F[id<$,,  M/x] 

t/ien  <&;•  b  (id$,M/x,ip;V/y,8)  £  (3>,  x  :  A,  \P;  y  £  F,  A) 


2.  7/2?  ::  $;  •  b  id$,ip;8  <E  $,$;A 
and  P  ::  $;  •  b  V  £  P 

then  $;•  b  (id$;ip;V/y,8)  £  ($,  \&;y  £  F,A) 


Proof:  direct  in  both  cases  using  Lemma  6.21.  A  detailed  proof  can  be  found  in  Appendix  B.3. 
□ 


Based  on  the  context  lemma,  the  type  preservation  theorem  follows.  Clearly,  the  evaluation 
relation  is  mutually  dependent  on  the  evaluation  relation  of  declarations  and  cases,  and  the  type 
preservation  theorem  must  hence  be  accordingly  generalized. 

Theorem  6.38  (Type-preservation) 

1.  If  T> :  :  <f>  \~  P  V 

and  b  P  €  F 

then  <1>;  •  b  V  £  F 

2.  IfV::$\-D^ip;S 
and  £  ::  d>;  •  b  D  £  9/;  A 

then  •  b  (id$,  ip;  8)  £  (d>,  \I/;  A) 
which  extends  •  b  («d$;  •)  £  ($;  •) 
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3.  If  T> ::  €>  h  (if;  S)  ~  ft  ^  V 
and  T  ::  $;•  I -  ip]  S  G  'I' ;  A 
and  £  ::  \L;  A  h  0  G  F 
then  $;  •  h  V  G  F[V>] 

Proof:  by  simultaneous  induction  over  X>(1),T>(2),X>(3)  using  Lemma  6.20,  Lemma  6.22, 
Lemma  6.37,  Lemma  6.11,  Lemma  6.7.  A  detailed  proof  can  be  found  in  Appendix  B.3.  □ 

Note,  that  the  proof  of  the  type  preservation  theorem  does  not  rely  on  the  termination 
side  condition  (5.1)  or  the  coverage  side  condition  (5.2).  In  fact,  even  without,  these  two  side 
conditions,  the  operational  semantics  is  type-preserving.  In  other  words,  every  function  that 
corresponds  to  a  well- typed  proof  term  in  .VL  is  partially  correct. 

This  already  concludes  the  presentation  of  the  operational  big-step  semantics.  It  assigns 
an  operational  meaning  to  a  proof  term  by  relating  it  to  the  result  value  of  its  computation. 
Moreover  this  computation  is  type  preserving.  The  main  draw  back  of  this  kind  of  operational 
semantics  is  that  it  does  not  offer  any  fine-grained  control  on  how  the  evaluation  is  being  con¬ 
ducted.  Using  only  the  big-step  semantics  we  cannot  express  that  a  proof  term  interpreted  as 
function  is  total  and  applied  to  LF-objects  always  computes  a  value. 


6.6  Summary 

In  this  chapter  we  have  introduced  and  proved  properties  about  all  major  basic  concepts  needed 
for  an  in  depth  analysis  of  the  meta  logic  AdJ.  On  the  basis  of  generalized  substitutions,  meta- 
substitutions,  lemma  instantiations,  context  schema  subsumption,  matching,  and  strictness,  we 
have  defined  an  operational  big-step  semantics  which  assigns  an  operational  meaning  to  proof 
terms,  justifying  the  intuitive  idea  from  Section  2.6,  that  proof  terms  correspond  to  recursive 
functions. 


Chapter  7 

Realizability 


From  a  functional  perspective,  the  proof  terms  of  M \  correspond  to  partial  recursive  functions 
suitable  for  programming,  but  from  a  logical  perspective  we  must  require  from  these  functions 
to  be  total  to  be  considered  proofs.  Unlike  the  soundness  proof  of  FOXA1N  which  is  based  on 
a  cut-elimination  argument  in  the  presence  of  natural  number  induction,  the  soundness  proof 
for  M2  is  based  on  realizability;  each  proof  term  in  M %  realizes  a  proof.  That  means,  that 
upon  application  to  arguments,  proof  terms  evaluate  always  to  some  result,  in  particular  their 
computation  makes  always  progress  and  will  eventually  terminate.  Under  the  regular  world 
assumption,  we  have  argued  that  the  big-step  operational  semantics  is  not  fine-grained  enough 
to  study  properties  such  as  termination  and  coverage.  Thus  we  refine  the  big-step  semantics  to 
a  trace-based  continuation  style  small-step  semantics  and  establish  two  syntactic  criteria  on  the 
form  of  proof  terms  that  imply  progress  and  termination  of  their  computations.  Together,  the 
two  criteria  guarantee  that  s  proof  terms  are  total,  entailing  the  soundness  of  the  meta¬ 
logic  M-2'  We  stress  that  the  criteria  are  syntactic,  which  makes  them  good  candidates  for  proof 
generation  and  proof  checking  in  Twelf  (see  Chapter  8). 

The  soundness  proof  of  a  functional  calculus  as  complicated  as  M 2  involves  a  lot  of  work. 
Sadly,  the  operational  big-step  semantics  is  inappropriate  to  reason  about  proof  terms  the  way 
we  need  to.  In  particular,  $  h  P  F  is  not  an  algorithmic  description  of  how  to  evaluate 
proof  terms,  it  is  merely  the  definition  of  a  relation,  relating  a  program  to  be  executed  with 
the  result  of  its  computation.  This  means  that  if  a  computation  does  not  terminate  or  cannot 
make  progress  because  not  all  cases  are  covered,  $  h  P  c—»  V  is  simply  not  derivable  for  any  V. 
On  the  other  hand,  if  we  had  a  more  algorithmic  specification  of  the  operational  semantics  we 
could  formulate  termination  and  coverage  properties.  Specifically,  it  would  allow  us  to  express 
the  non-termination  of  the  program  “/ix  6  ().x”,  because  once  this  program  begins  to  execute, 
it  deterministically  transforms  to  itself  after  each  execution  step.  Similarly,  it  would  allow  us 
to  express  that  the  evaluation  of  “case  (lam(Ay  :  term  rr^.y)/x\  •)  of  •”  does  not  make  progress, 
since  no  cases  are  applicable.  Therefore,  we  refine  the  big-step  operational  semantics  to  a  small- 
step  semantics  that  is  executable  on  an  abstract  machine.  Only  by  observing  the  computation 
trace  of  an  abstract  machine  it  is  possible  to  investigate  if  a  function  is  total  or  not. 

This  chapter  is  organized  as  follows.  In  Section  7.1  we  define  a  small-step  semantics  for 
the  proof  terms  of  This  semantics  is  trace-based,  and  can  be  executed  on  a  continuation 
based  abstract  machine,  very  similar  to  the  CPM  machine  [PfeOO].  In  addition,  it  refines  the 
big-step  semantics  from  Section  6.5,  but  we  skip  the  proof.  We  then  address  the  question  of 
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termination  in  Section  7.2  and  coverage  in  Section  7.3.  Termination  and  coverage  are  the  two 
necessary  properties  for  totality.  Therefore,  proof  terms  in  are  realizers  and  the  meta-logic 
is  sound,  which  we  show  in  Section  7.4.  Finally,  we  summarize  the  results  of  this  Chapter 
in  Section  7.5. 


7.1  Small-Step  Semantics 


In  the  previous  chapter,  we  formally  expressed  the  evaluation  of  a  program  P  to  a  value  V 
by  the  judgment  h  P  <—>  V  where  4>  is  the  parameter  context  modelling  the  regular  world 
assumption.  In  order  to  appreciate  the  new  and  refined  operational  semantics,  we  have  to  look 
at  evaluation  from  a  different  point  of  view7.  We  say  that  P  evaluates  to  V  if  and  only  if  there 
exists  a  trace  from  an  initial  state  which  corresponds  to  P  to  a  final  state  which  correspond  to 
V .  The  trace  is  to  be  understood  as  a  sequence  of  state  transitions  performed  by  some  —  still 
to  be  defined  —  abstract  machine. 

This  idea  can  be  visualized  by  the  following  diagram:  The  derivation  V  stands  for  compiling 
P  into  a  program  contained  in  the  state  So,  £  is  the  trace  of  the  abstract  machine,  and  Sn  is 
the  final  state  reached  say  after  n  steps.  Q  then  extracts  the  result  of  the  computation  from  Sn 
and  decompiles  it  into  a  value  in  the  sense  of  Section  6.5. 


V  ::  [P]  =  St 


Q  ::]$„[=  V 


Consider  the  proof  term  dia  formalizing  the  proof  of  the  diamond  Lemma  4.6.  Given  that 
all  universal  quantifiers  are  instantiated  by  concrete  LF  objects,  the  residual  proof  term  P  is 
of  existential  type.  It  guarantees  that  the  common  reduct  and  the  two  derivations  closing  the 
diamond  exist.  Upon  completion  of  the  abstract  machine,  we  extract  those  three  witness  objects 
from  the  result  of  the  computation. 

In  this  section,  we  discuss  various  aspects  of  the  new  small-step  operational  semantics  and 
the  underlying  abstract  machine.  The  fact  is,  that  the  meta-logic  is  sound,  even  if  the 
diagram  above  does  not  commute.  All  that  matters  is  that  by  executing  the  proof  term  applied 
to  LF  objects,  the  result  are  well-typed  objects,  witnessing  that  the  types  of  the  variables  bound 
by  existential  quantifiers  are  inhabited.  It  does  not  matter,  if  the  big-step  semantics  evaluates 
to  a  different  value  or  not.  On  the  other  hand,  even  though  we  will  not  provide  a  proof  for  this 
claim,  we  conjecture  that  the  small-step  semantics  is  a  refinement  of  the  big-step  semantics,  i.e. 
that  both  are  observationally  equivalent:  For  any  derivation  V  evaluating  P  to  U,  the  sinall-step 
operational  semantics  will  compute  V  from  [P],  and  the  reverse  also  holds.  For  any  program  P, 
value  U,  and  computation  trace  £  that  starts  in  [P]  and  ends  in  [V]  it  is  possible  to  reconstruct 
a  derivation  V  of  P  V . 

The  kind  of  abstract  machine  employed  in  this  thesis  is  a  continuation  stack  based  state 
machine.  It  is  inspired  by  the  CPM  machine  [PfeOO],  and  the  CPS  machine  [FSDF93].  A 
state  of  the  computation  contains  three  bits  of  information.  There  is  a  continuation  stack 
which  represents  delayed  computations  necessary  to  compute  the  overall  value  U,  a  generalized 
parameter  context  4>,  and,  naturally,  the  program  to  be  executed. 
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This  section  is  organized  as  follows:  we  begin  with  the  definition  of  programs  and  values  and 
describe  the  process  of  compilation  in  Section  7.1.1.  Based  on  programs  we  define  execution 
states  in  Section  7.1.2.  The  abstract  machine,  executing  the  programs  of  the  small-step  semantics 
is  discussed  in  Section  7.1.3,  for  which  we  define  a  typing  discipline  and  prove  type  preservation 
in  Section  7.1.4. 

7.1.1  Programs 

The  small-step  operational  semantics  is  based  on  the  idea  that  proof  terms  of  are  compiled 
into  programs  suitable  for  execution  on  an  abstract  machine.  In  this  subsection  we  discuss  the 
form  of  programs.  We  also  explain  how  to  compile  proof  terms  into  programs. 

What  are  programs?  Traditionally,  a  program  is  a  list  of  instructions  to  be  executed  on 
the  abstract  machine.  In  this  thesis  however,  we  avoid  sequentializing  a  proof  term  into  a  list 
of  instruction  but  we  interpret  proof  terms  unaltered  as  programs.  Consider,  for  example,  a 
proof  term  of  the  form  (Pi,P2).  When  executing  it  on  our  abstract  machine  it  will  eventually 
evaluate  to  the  value  { Ci .  V2)  (see  the  definition  of  the  big-step  operational  semantics).  But 
intuitively,  during  computation,  the  abstract  machine  will  inevitably  encounter  the  program 
(Pi,  P2),  if  we  consider  a  left  to  right  computation  of  pairs.  Note,  that  in  this  example,  all  three 
programs  are  syntactically  the  same  proof  term,  but  conversely,  each  of  them  carries  a  different 
computational  meaning.  Thus,  each  proof  term  gives  raise  to  several  programs,  depending  on 
which  of  the  arguments  have  been  instantiated  by  values  (values  are  proof  terms  that  do  not 
need  to  be  computed  any  further,  since  they  wouldn’t  change).  Throughout  this  chapter  we 
distinguish  the  different  off-springs  of  a  proof  term  by  different  variable  names  of  its  arguments. 
P  stand  for  programs,  and  V  for  values. 

What  forms  do  values  take?  Differently  from  Section  6.5  where  we  describe  values  only  as 
the  outcome  of  the  evaluation  of  a  proof  term,  in  this  setting  values  can  take  additional  shapes; 
meta-substitution  extensions  must  be  considered  as  values  because  they  may  be  the  outcome  of 
a  list  of  declarations. 

Values:  V  ::=  Ax  :  A.  P  \  XpL.  P  |  (M,  V)  \  {VUV2)  |  ()  |  fa;  S) 

Thus,  in  summary,  programs  are  proof  terms  or  values.  This  information  can  be  easily 
inferred  and  need  not  be  represented  explicitly.  In  accordance  with  this  observation  there  is  no 
need  to  introduce  a  new  syntactic  class  for  programs.  Instead,  we  use  P  to  denote  proof  terms 
and  programs  simultaneously. 

What  about  compilation?  Compiling  a  proof  term  means  to  tag  it  by  information  which 
subterm  is  already  a  value  and  which  is  not.  Symmetrically,  decompiling  a  program  means  to 
remove  those  tags.  The  compilation  and  decompilation  operation  [•]  and  ]•[  can  be  safely  omitted. 
Proof  terms  are  defined  in  form  of  declaration  and  cases.  What  was  said  in  this  subsection  about 
compilation  also  holds  for  the  declarations  and  cases,  to  which  we  sloppily  refer  as  programs. 

7.1.2  States 

A  state  of  the  abstract  machine  is  a  triplet  consisting  of  a  parameter  context  <I>.  a  continuation 
stack  (7,  and  a  the  program  to  be  executed.  In  this  setting  programs  are  either  proof  terms, 
declarations,  cases  or  substitutions.  Therefore,  one  possible  form  of  a  state  is  $;  C  >  P.  In 
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general,  states  are  denoted  by  S',  and  should  not  be  confused  with  spines  from  Section  6.4. 
Their  precise  definition  is  given  at  the  end  of  this  subsection. 

Continuation  stacks  C  are  stacks  of  delayed  computations  necessary  to  eventually  compute 
the  overall  value  of  a  program.  Each  continuation  is  a  function  expecting  one  argument,  namely 
the  result  of  the  previous  computation.  There  are  different  styles  in  presenting  continuations; 
one  can  either  represent  each  continuation  by  a  leading  A-abstraction,  binding  the  one  argument 
[PfeOO]  and  assigning  a  name  to  it,  or  alternatively,  one  can  represent  each  variable  by  a  special 
symbol  [FSDF93].  In  this  presentation  we  have  decided  to  follow  the  latter  style  and  we  write 
•  for  each  hole  representing  a  variable. 

Returning  to  the  small  example  from  above,  we  consider  a  trace  which  computes  the  value 
of  a  pair  (Pi,P2).  It  starts  with  computing  value  V\  of  its  first  component  Pi.  But  before  the 
abstract  machine  starts  with  the  computation  of  Pj ,  it  has  to  memorize  how  to  interpret  its 
result.  This  is  done  by  adding  an  appropriate  continuation  to  the  continuation  stack.  The  form 
of  the  continuation  is  (•,P2),  meaning  that  once  Pi  is  executed,  the  resulting  value  belongs  into 
the  first  position  of  the  pair  (Vi,  P2).  Similarly,  the  evaluation  of  the  second  component  requires 
the  continuation  (Vi,  •)  to  be  added  to  the  continuation  stack.  Putting  it  all  together,  informally, 
here  are  a  few  snapshots  along  the  trace  of  the  abstract  machine.  We  write  S[  =>  S2  for  a 
step  of  the  abstract  machine. 


=>  $;C»(Pi,P2) 

=►  C,  (•,P2)  >  Pi 

=*  *;C>,P2)>Vi 
=*  4>;  C  t>  (Vi,  P2) 

=*  $;C,(V1,#)>P2 


4>;C,  (Vum)>V2 
$;C»{VUV2) 


This  example  shows  not  only  the  idea  behind  continuation  stacks  in  particular,  but  also  how 
the  abstract  machine  works  in  general.  The  different  programs  contained  in  a  state  determine 
the  next  computation  step.  If  needed,  the  continuation  stack  is  extended.  Once  a  value  in  the 
computation  is  reached,  the  top  continuation  of  the  computation  stack  is  awakened,  and  the  •  is 
replaced  by  the  value.  The  computation  resumes  with  the  new  state.  Therefore,  in  the  general 
case,  the  computation  of  a  program  starts  with  an  empty  continuation  stack,  and  the  abstract 
machine  halts  with  a  value  if  the  continuation  stack  is  empty  again.  This  value  is  the  return 
value  of  the  computation. 

Since  the  proof  terms  of  are  recursive  functions  defined  via  case  analysis,  the  abstract 
machine  can  reach  a  state  where  it  has  to  select  an  applicable  case  from  the  given  list  of  cases 
fj,  and  continue  with  the  execution  of  its  body.  We  call  these  states  match  states  and  write 
4>;Ct>  ('ll);  8)  ~  fL  A  transition  to  a  match  state  means  to  select  an  applicable  case  from  f2,  to 
instantiate  a  few  variables,  and  to  execute  the  program  in  its  body.  The  subject  of  the  case  is 
an  explicit  substitution  (%/);  (5)  against  which  the  machine  has  to  match  the  cases  in  using  the 
algorithm  we  have  developed  in  Section  6.4. 
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There  are  two  possible  states  we  have  not  accounted  for  yet.  Programs  compute  values,  but 
declarations  compute  substitutions.  Thus,  the  state  which  prompts  the  abstract  machine  to 
execute  a  declaration  is  4>;  C>D  whereas  the  result  of  this  evaluation  prompts  for  a  special  kind 
of  state,  suitable  to  return  the  result  substitution  C  o  ip;  8 .  In  addition,  the  continuations 
introduced  by  declarations  contain  two  •’s.  In  the  case  such  a  continuation  is  awakened  and 
applied  to  (?/>;£),  the  left  most  •  is  replaced  by  ip  and  the  right  most  •  by  8.  We  denote  the 
empty  continuation  stack  with  *. 

Continuations :  C  ::=  *  \  C,  let  •  in  P 

|  C,  (•,  P)  I  C,  {V,  •)  I  C,  <M,.) 

|  C,  (x  e  F  =  7Ti  •,  D)  I  C,  (x  G  F  =  7T2  •,  D) 

|  C,  (•;  F/x,  •) 

|  C,  ((x  :  A,  y  e  F)  =  »,D)  \C,  ( M/x ,  •;  V/y, .) 

|  C,  (x  e  F  =  •  M,  D) 

\  C,(x  €  F  =  •  p,D) 

\  C,{x  e  F  =  »,D) 

I  C,{XpL.  (•;•)) 

Staies:  5  ::=  C  >  P  |  C  >  D  \  C  >  5)  ~  ft  |  C  >  <5 

The  first  transition  into  a  match  state  is  depicted  by  the  following  snapshot  of  a  particular 
trace  of  the  abstract  machine. 

...  C  >  case  (^;  J)  of  ==>  C  >  (^;  tf)  ~  =>  ... 

Operationally  speaking,  the  abstract  machine  attempts  to  find  an  applicable  case  in  and 
makes  a  transition  to  a  regular  state,  unless  such  a  case  does  not  exist.  It  is  the  one  of  the 
results  of  this  chapter,  that  an  applicable  case  always  exists,  given  that  the  side  condition  (5.2) 
is  satisfied.  We  continue  this  exposition  with  the  definition  of  the  abstract  machine. 


7.1.3  Abstract  Machine 

Following  examples  from  the  literature,  we  specify  the  operational  small-step  semantics  as  a 
transition  relation  between  states.  The  single  step  relation  is  denoted  by  ,  and  its  transitive 
closure  by  . 


One-step  reduction  b  S\  =>  S2 
Multi-step  reduction  h  Si  S2 

The  rules  are  a  direct  translation  of  the  rules  from  Section  6.5  where  we  make  extensive 
use  of  postponing  the  computation  of  subprograms  as  continuations.  Every  transition  rule 
introduces  at  most  one  continuation.  For  each  such  rule,  there  is  a  dual  rule  that  defines  how 
the  continuation  is  to  be  applied  to  a  value.  In  the  let  case,  for  example,  there  is  a  rule  that 
defines  how  the  program  let  D  in  P  is  computed  —  D  is  computed  while  storing  the  overall 
goal  of  the  computation  let  •  in  P  on  the  continuation  stack.  The  second  rule  then  says,  that 
V  must  be  a  meta-substitution  extension  (because  of  typing  which  we  define  in  Section  7.1.4). 
Consequently,  by  reawakening  the  top  continuation  we  obtain  a  new  program  embedded  in  a 
new  state.  Without  loss  of  generality  —  as  we  discuss  below  in  more  detail  —  we  can  assume 
that  every  program  computes  a  value  otherwise  some  other  rule  is  applicable. 
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trlet  ::  C  >  let  D  in  P  =>  3>;  C,  let  •  in  P  >  D 

trletC  ::  C,  let  •  in  P  >  (ijr,  5)  =>  C  >  P[id<j>,  i\)\  <5] 

Similarly  the  definition  of  the  next  four  transition  rules  for  conjunction  account  for  the 
computation  of  pairs  —  as  discussed  above.  The  first  two  rules  define  the  computation  of  a  pair, 
where  both  components  are  non-values,  the  second  two  rules  define  the  computation  if  the  left 
component  is  a  value. 


trpair  ::  C  >  (Pu  P2)  =»  *;  C,  <•,  P2)  >  Pi 
trpairC  ::  $;C,{*,P2)>V  =>  $:C>{V,P2) 
trmix  ::fyC>(VuP2)  =>  C,  (Vi,  •)  >  Pi 
trmixC  ::  $;C,  <Vi , •)  >  V  =>  $;C>(Vi,V> 

Dually  to  the  rules  for  pairs,  there  are  rules  that  define  the  computation  of  projections. 
Recall,  that  projections  are  proof  terms  for  left  rules,  and  therefore  they  take  the  shape  of 
declarations.  Computing  the  result  of  a  projection  is  standard.  The  first  transition  initiates  the 
computation  of  the  program  from  which  we  project,  while  storing  on  the  continuation  stack  the 
information  what  to  do  with  the  result:  x  £  F  —  tt\  •,  D.  The  second  rule  is  activated  once  this 
continuation  lies  on  top  of  the  continuation  stack.  By  inversion  it  follows  that  the  form  of  the 
result  value  (Vi,  V2).  Next,  the  machine  continues  to  compute  the  rest  of  the  declarations,  and 
we  can  expect  that  it  terminates  in  a  value,  precisely  in  a  meta-substitution  extension.  This 
substitution  must  be  extended  by  V\  /x. 

trfst  ::  C  >  x  £  F  —  tx\  P.  D  =>  <f>;  C,  x  £  F  =  7T]  •,  D  o  P 

trfstC  ::fyC,xeF  =  iri*,b>(VuV2)  =*  C,  (•;  Vi/x,  •)  t>  D[V}  /x] 

trsnd  ::  C  f>  x  £  F  =  n2  P,  D  =$>  $>;  (7,  x  £  F  =  1x2  •,  D  >  P 

trsndC  ::  5>;  C, x  E  F  =  7r2  •,  D  t>  (Vi,  V2)  =>  C,  (•;  F2/x,  •)  >  D[V2/x] 

trmeta  ::  (7,  (•;  V/x,  •)  >  (?/?;  £)  =>  C  >  (Vu  V/x,  <5) 

Very  similar,  the  proof  term  of  an  existential  formula  is  computed  via  two  rules  trinx  and 
trinxC  which  can  be  expected  to  return  (M,P).  Likewise  three  more  rules  (trsplit,  trsplitC,  and 
trsubst)  define  the  computation  of  a  splitting  operation.  The  trsubst  rule  plays  the  role  of  trmeta 
from  above,  except  —  since  this  is  a  splitting  operation  —  the  witness  object  itself  is  part  of 
the  final  result. 

trinx  ::$;C>(M,P)  =>  C,  <M,  •)  >  P 
trinxC  ::  V  =»  $;<?»  (M,V> 

trsplit  ::  <f>;  C  >  (x  :  A,y  £  F)  =  P,  D  ==>  C,  (.7:  :  A  y  E  F)  =  •,  D  t>  P 

trsplitC  ::  C,  (x  :  4  y  G  F)  =  •,  2?  t>  (M,  V)  C,  (M/x,  •;  V/y,  •)  i>  D[id+,  M/x;  V/y] 

trsubst  ::  C,  (M/x,  •;  V/y,  •)  >  (^;  5)  =>  >  {M/x^V/yJ) 

The  following  eight  rules  form  the  remaining  transition  rules  for  declarations.  The  rule 
trempty  marks  the  computation  of  the  end-of-declarations  symbol.  Naturally,  it  returns  an 
empty  meta-substitution  extension.  trApp,  and  trAppC  compute  the  result  of  a  redex.  They 
correspond  to  the  ev_app  rule  from  Section  6.5.  The  first  rule  computes  the  value  of  the  recursive 
function  to  be  executed,  and  the  second  rule  applies  it.  Similarly,  for  variable  block  applications 
we  define  two  rules:  trapp  and  trappC.  The  trnew  rule  introduces  a  new  parameter  block  of 


186 


CHAPTER  7.  REALIZABILITY 


187 


assumptions.  It  then  computes  the  value  of  its  body  D.  This  computation  can  be  expected 
to  return  a  meta-substitution  extension  (ip;  5)  that  is  to  be  abstracted  over  the  new  parameter 
block  as  discussed  in  Section  6.2.2  by  trnewC. 

trempty  ::  4>;  C  >  •  => 

trApp  ::  $;C>xeF  =  PM,D  =>  C,  x  E  F  =  •  M,  D  >  P 

trAppC  ::  4>;  C,  x  E  F  =  •  M,  D  >  Ax  :  A.  P  =>  4>;  C,  x  G  F  =  •,  D  >  P[id$,  M/x] 

trapp  ::  <&;  C  >  x  G  F  =  P  p,  D  =>  <7,  x  G  F  =  •  p,  D  >  P 

trappC  ::  C,  x  6  F  =  •  p',  D  >  ApL.  P  ==>  <7,  x  E  F  =  •,  D  e>  P[id<£,  p'/p] 

trassign  ::  $;C,xEjF-*,D>V  =►  $;  <7,  (•;  V/x,  •)  >  D[V/x] 

trnew  ::  >  v  pL .  D  =>  4>,pL;  (7,  (ApL.  (•;•))  >  D 

trnewC  ::  $,pL;  (7,  (ApL.  (•;•))>  ip;  5  =>  $;  (7  >  ApL.  (^;  5) 

The  final  set  of  rules  defines  the  execution  of  the  two  operations  recursion  and  case  analysis. 
The  recursion  rule  does  not  introduce  any  new  continuations.  Similar  to  the  ev_rec  rule,  it  merely 
computes  the  value  of  its  body,  given  that  all  occurrences  of  the  recursion  variable  are  replaced 
by  the  program  itself. 

trrec  ::  C  >  px  6  F.  P  =>•  <3>;  (7  o  P[px  E  F.  P/x] 


Case  analysis  on  the  other  hand  is  slightly  more  complicated.  It  uses  the  matching  algorithm 
defined  in  Section  6.4.2.  First,  as  shown  in  the  example  above,  a  analysis  of  cases  is  initiated  by 
the  case-program.  The  subject  of  the  case  construct  —  the  explicit  substitution  —  is  matched 
against  each  case.  Because  we  can  assume  that  each  case  is  well-typed,  each  substitution  ipf  is 
strict  in  both  cases.  Therefore,  by  Theorem  6.36  the  matching  problem  <f>  >  ip  «  ip*  is  decid¬ 
able.  And  thus  it  is  clearly  decidable  if  tryes  or  trno  are  applicable.  As  side  remark,  no  new 
continuations  must  be  pushed  onto  the  continuation  stack  for  the  purpose  of  case  analysis. 


trcase  ::  case  (ip;  S)  of  ft  =>  4>;  C  >  (ip;  5)  ~ 

tryes  ::  C  >  (ip;  6)  ~  (fi,  (#'  >  ipf  P))  => 

if  there  exists  a  ip n  s.t.  (ip1;  id^)  °  ('0//;  5)  =  (ip;  S) 
trno  ::  4>;  C  >  (ip;  (5)  ~  (£2,  (Sfr'  >  ip'  y  P))  ==>  <E>;  C  >  (ip;  5)  ~  ft 
if  there  is  no  ipn  s.t.  (ipf;  id^)  °  (fipn;  £)  —  ('ip]  S) 


The  rule  tryes  and  trno  are  quite  simple,  and  we  will  see,  the  theoretical  results  associated 
with  this  construction  reuses  many  of  the  results  we  have  shown  in  the  previous  Chapter.  The 
final  two  rules  define  the  reflexive  and  transitive  closure  of  traces. 


trid 


Si 


S2  S2 


S3 


trstep 


S3 


This  concludes  our  presentation  of  the  operational  semantics  of  the  abstract  machine.  We 
conjecture  that  the  small-step  operational  semantics  is  sound  and  complete  with  respect  to  the 
big-step  operational  semantics.  Whenever  there  is  computation  of  V  from  P,  then  V  is  the 
result  of  evaluating  P. 


Conjecture  7.1  (Soundness) 

IfV  ::  $;*t >P 
then  £::<!>  h  P  ^  V. 
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Vice  versa,  each  evaluation  of  any  program  P  to  a  value  V  can  be  simulated  and  executed  on 
the  abstract  machine  while  preserving  results. 

Conjecture  7.2  (Completeness) 

IfV::$hP^V 

then  £::$;★>  P  =?=> 

In  summary,  we  have  defined  an  abstract  machine  which  executes  the  proof  terms  of  - 
The  small-step  semantics  is  the  appropriate  tool  to  reason  about  totality.  In  the  next  section, 
we  show  that  it  is  also  type  preserving. 

7.1.4  Validity 

A  small-step  operational  semantics  is  said  to  be  type  preserving  if  all  states  in  a  computation 
trace  are  valid  and  are  of  the  same  type!  Therefore  the  task  of  designing  an  appropriate  typing 
discipline  for  this  operational  semantics  reduces  to  establishing  a  suitable  typing  discipline  on 
states. 

Internally,  states  consist  of  parameter  contexts,  continuation  stacks,  and  programs.  Pro¬ 
grams  are  proof  terms  and  they  therefore  inherit  the  typing  discipline  from  Section  5.4.  From 
this  assumption  we  can  already  guarantee  that  throughout  a  computation,  the  parameter  con¬ 
text  remains  well-typed  given  that  it  is  initially  well-typed  what  we  always  presuppose.  The 
reason  is  that  4>  is  only  modified  by  the  trnew  and  the  trnewC  rule  —  and  this  clearly  in  a  sound 
way. 

Therefore,  the  main  challenge  in  designing  a  type  system  for  states  hinges  on  an  appropriate 
definition  of  the  type  systems  for  continuation  stacks  which  we  develop  in  this  subsection.  We 
proceed  as  follows:  Continuations  are  parametric  meta-level  functions  different  enough  from 
standard  meta-level  functions  we  have  described  in  Chapter  4  to  warrant  a  new  definition  of 
continuation  types.  More  precisely,  there  are  two  different  continuation  types.  First,  there  is  one 
that  expresses  that  a  continuation  expects  a  value  of  some  formula  F\  as  input  and  returns  some 
value  of  formula  F2  as  result.  Second,  the  other  type  expresses  that  the  continuation  expects 
as  input  a  meta-substitution  extension  of  “type”  (4>;  A)  and  returns  a  value  of  a  formula  F  as 
result. 


Continuation  types:  T  ::=  F\  =>  F2  |  (4>;  A)  =>  F 

From  a  logical  point  of  view,  both  continuation  types  are  implications;  however,  the  meta¬ 
logic  is  relatively  impoverished  with  respect  to  the  standard  propositional  connectives  such 
as  negation  and  disjunction  and,  in  addition,  we  cannot  quantify  over  substitutions.  Thus,  we 
cannot  use  the  meta-logic  itself  to  provide  the  notion  of  continuation  types. 

The  typing  discipline  for  continuation  stacks  extends  the  one  for  continuations  in  the  standard 
way.  Note,  that  because  of  the  regular  world  assumption  continuation  stacks  are  not  necessarily 
closed.  New  parameter  blocks  are  inserted  into  the  parameter  contexts  by  trnew  and  retracted  by 
trnewC.  Therefore,  the  typing  judgment  for  continuation  stacks  must  take  a  parameter  context 
into  account. 

Valid  continuation  stacks:  h  C  €  T 
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ft 


The  semantics  of  this  judgment  is  defined  by  a  set  of  inference  rules.  The  empty  continuation 
stack,  for  example,  acts  as  the  identity  function. 

tcdone 


$  b 


A  continuation  with  a  let  continuation  as  top  element  has  type  (T;  A)  =>■  P,  if  its  body  P  has 
type  F\  in  the  meta-context  <b,  T:  A.  The  remaining  continuation  on  the  other  hand  must  be  of 
type  F\  =£>  F. 

Qh-CeF^F  $,T;AbP€Fi 
$  b  C,  let  •  in  P  G  (S';  A )  =>  F  ^ 

A  stack  whose  top-level  continuation  is  a  pair  with  one  •  as  first  component  has  type  Pi  P, 
if  the  rest  continuation  stack  has  type  Fi  A  F2  =>  F  and  the  second  component  of  the  pair  is 
well-typed. 

$  b  C  G  Fi  A  P2  =*>  F  <b;  •  b  P  G  F2 

- tcpair 

$b  C,  <*,P>  GPi  =>P 

Similarly,  if  the  top  continuation  on  the  stack  is  a  pair  with  a  •  as  second  component,  its  type 
if  F2  =>  F  given  that  the  rest  of  the  continuation  stack  has  type  Pi  A  F2  =>•  F  and  the  first 
component  of  the  pair  is  well-typed. 


$  b  C  G  Pi  A  P2  =>  P  $;  •  b  V  G  Pi 
$  h  c,  (V,  •)  e  P2  =>-  p 


tcmix 


Along  the  same  lines,  if  (M,  •}  lies  on  the  continuation  stack,  the  continuation  stack  must  be  of 
type  Bx  :  A.  F\  =>  F.  Consequently,  the  stack  as  a  whole  has  type  Pi  id<j> ,  M / x]  =x  F  then. 


$  b  C  €  3x  :  A.  Pi 


b  M:A 


$  b  C,  ( M ,  •)  g  Pi  [id$ ,M/x]  =}►  P 


tcinx 


We  consider  now  the  case  that  (x  G  Pi  =  it\  D)  lies  on  top  of  the  continuation  stack. 
It  expects  as  argument  a  value  of  type  Pi  A  F2,  given  that  D  has  type  (T;  A).  Thus,  the 
continuation  expects  a  meta-substitution  extension  of  \k,x  €  Pi;  A  as  input.  A  side  remark: 
These  rules  are  the  reason  why  we  need  to  label  each  occurrence  of  x  explicitly  by  its  formula 
otherwise  we  could  not  express  the  right  premiss  of  tcfst.  The  typing  rule  for  the  symmetric 
projection  is  defined  analogously. 

$  I-  C  e  (^;x  €  Pi, A)  =*  P  #;xeFibD:f;A 

- — — - - - tcfst 

$  b  C,  (x  e  Pi  =  7Ti  •,  D)  e  Pi  a  F2  P 


#HC6(f;xeF2,A)^P  $;x  G  P2  b  D  :  A 

- - - - - tcsnd 

$  b  C,  (x  G  P2  =  7T2  •,  D)  G  Pi  A  P2  =>  P 

The  continuation  (x  G  Pi  =  •.  D)  captures  the  assignment  of  the  current  value  to  x  in  D  and 
to  subsequent  occurrences  of  x  in  the  proof  term.  Naturally,  its  type  is  Pi  =>  P,  where  P  is  the 
type  of  the  overall  computation. 

$  b  C  G  (^;x  G  Pi,  A)  =>■  P  $;xGFihD:$;A 

- tcassign 

$  b  C,  (x  G  Pi  =  •,£>)  G  Pi  =►  P 
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Following  a  very  similar  line  of  argument.,  we  derive  that  the  type  of  the  continuation  used  in 
the  trmeta-rule  has  type  (\l>;  A)  =*  F. 


$hCe($;x6Fi,A)=^F  $;-HEgFi 

- tcmeta 

(•;  E/x,  •)  G  (®;A)  =>  F 


The  previous  three  rules  were  concerned  with  typing  continuation  which  may  occur  while  evalu¬ 
ating  a  pair.  Analogously,  the  following  two  rules  assign  types  to  continuations  which  may  occur 
during  the  evaluation  of  a  proof  term  of  existential  type. 

$  h  C  G  {x  :  A,  $;y  G  Fx,  A)  =*>  F  x  :  A; y  6  F\  h  D  G  A 

- tcsplit 

<I>  h  C,{{x  :  A,y  G  F,)  =  •,£>)  G  3a:  :  A.FL  =>  F 

$  h  C  G  (a: :  A,  $;y  G  Fi,  A)  =>  F  $  h  M:  A  $;  •  b  E  G  F,  [id*,  M/a:] 

- tcsubst 

*  I-  C,  (M/a:, E/y,  •)  G  [id*,  M/x](V;  A)  =>  F 


While  executing  a  declaration  that  applies  a  function  to  an  LF  object  or  a  variable  block,  a 
new  continuation  is  pushed  on  the  continuation  stack;  in  the  first,  case,  the  continuation  is 
(y  £  Fi[id$,M/x]  —  •  M,  D),  and  in  the  second  it  is  (x  E  F\  [id<j>,p'/p]  =  •  p',D).  The  types  of 
the  resulting  continuation  stacks  are  Mx  \  A.  F\  =>  F  and  Tip1 .  F\  =»  F,  respectively. 


(T;y  E  Fj  [id*,  Af/rr],  A)  =>  F  4>  h  Af  :  A  $:y  €  Fi[id*,  Af/a;]  hDG  T;  A 
$  h-C,  (y  E  Fi  [id<j>,  Af/j;]  =  •  Af,  D)  G  V:z;  :  A.  Fi  =>  F 

$hCG  (T;x  E  Fi[id*,p7p],  A)  =>  F  $  h  p  =  p'  4>;  x  G  Fi[id*,p'/p]  h  F  G  A 
$  h  C,  (x  G  Fi  [id*,  p'/p]  -  •  p',  P)  E  npL.  Fi  =*  F 


tcApp 

tcapp 


And  finally,  the  case  of  the  new-continuation  C,  (ApL.  (•;  •))  has  type  (5;;A)  =>  F  only  if  C 
expects  the  abstracted  version  of  ('F;  A)  as  input,  and  returns  a  value  of  type  F.  In  this  rule  II 
is  not  a  constructor,  it  is  the  function  which  abstracts  T;  A,  accordingly. 

$b  CGn/.($;A)  =»  F 

- tcnew 

*,  PL  y  C,  (XpL.  (•;•))  G(tf;  A)  =*F 


This  concludes  our  presentation  of  the  typing  rules  for  continuation  stacks.  The  next  step  in 
this  development  leads  to  a  typing  discipline  on  states.  We  write  h  S  E  F  if  S  has  type  F. 


Valid  states:  h  S  E  F 


Since  we  distinguish  four  different  kind  of  states  (according  to  if  its  body  is  a  program,  a  list  of 
declarations,  a  list  of  cases,  or  a  meta-substitution),  there  are  four  different  typing  rules;  tsprg, 
tsdec,  tscase,  and  tssub.  The  design  of  all  rules  is  inspired  by  the  form  of  a  cut-rule  in  the  sense 
that  Fi  and  ('P;  A)  does  not  occur  in  the  conclusion,  respectively. 

$hCEFi^F  $;  •  h  P  E  Fi 

- tsprg 

b($;CoP)  eF 
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<fr  h  C  G  (\1>;  A)  =>  F  §;TDe$;A 

- - - tsdec 

h  ($;C>L>)  €  F 

$  h  C  G  Fi[ip]  =>  F  ^AhOG-Fi 

h  ($;  C>  (</>;  6)  ~  fi)  G  F 

^l"CG  (V&;  A  )4f  $;  •  h  id$,  ?/>;  5  G  \I/;  A 


tscase 


.  ,  tssub 

h  ($;  C  >  ^;  <5)  G  F 

In  summary,  we  have  successfully  established  a  typing  discipline  for  states.  What  remains  to 
be  shown,  is  that  any  execution  on  the  abstract  machine  preserves  types.  Specifically,  we  prove, 
that  the  type  of  a  state  remains  invariant  during  computation. 


Theorem  7.3  (Local  type  preservation  for  small-step  semantics) 


IfV::\-S€F 
and  £  ::  S  =»  S' 
then  I -  S'  £  F. 


Proof:  by  case  analysis  on  £  using  Lemma  6.20,  Lemma  6.37,  Lemma  6.22,  Lemma  6.7.  A 
detailed  proof  can  be  found  in  Appendix  C.  □ 

By  a  simple  induction  over  the  length  of  a  computation  trace,  we  generalize  this  result  to  the 
transitive  closure  of  the  transition  relation. 

Theorem  7.4  (Type  preservation  for  small-step  semantics) 

IfV.-.S  5' 
and  £::\~  SeF 
then  b  S'  G  F. 

Proof:  by  induction  on  V  using  Lemma  7.3.  A  detailed  proof  can  be  found  in  Appendix  C.  □ 

Note,  that  in  that  similarly  to  the  proof  of  Theorem  6.38,  neither  this  proof  relies  on  the 
termination  side  condition  (5.1)  or  the  coverage  side  condition  (5.2).  In  fact,  even  without  these 
two  side  conditions,  the  small-step  operational  semantics  is  type-preserving. 

In  general,  we  are  not  interested  in  computations  that  terminate  prematurely  but  only  in 
computations  that  terminate  with  a  legitimate  return  value.  We  will  show  in  Section  7.3  that  no 
computation  can  terminate  prematurely.  Legitimate  states  which  mark  the  end  of  a  computation 
are  called  final  states.  Their  main  characteristic  is  that  their  continuation  stack  is  empty,  and 
their  program  a  value,  which  cannot  be  evaluated  any  further. 

Definition  7.5  (Final  state)  Let  $  he  a  parameter  context  and  V  be  a  value.  3>;*>E  is  called 
a  final  state. 


Any  computation  trace,  which  starts  in  an  initial  state  (<&;*>  jP,  for  any  regular  <h,  and  any 
P)  ends  in  a  final  state  whose  parameter  context  is  $  again.  The  main  insight  is  that  trnew  and 
trnewC  are  the  only  two  rules  that  can  insert  and  retract  parameter  blocks  from  <1>. 
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Lemma  7.6  (Parameter  context  preservation) 

!/■&)*>  P 
then  $  = 

Proof:  by  inspection  of  the  transition  rules.  □ 

In  summary,  we  have  defined  a  small-step  operational  semantics  that  can  be  executed  on 
an  abstract  machine.  The  semantics  is  type  preserving  (i.e.  partially  correct),  which  means 
that  once  a  well-typed  program  is  executed,  the  return  value  will  also  be  well-typed.  M2 
proof  terms  can  be  directly  executed  on  this  machine,  and  without  proof  we  conjecture  that 
it  computes  exactly  the  same  value  one  would  expect  when  examining  a  proof  term  with  the 
big-step  operational  semantics  defined  in  Section  6.5. 

Independent  of  this  conjecture,  we  continue  our  analysis  of  termination  and  progress  prop¬ 
erties  with  the  small-step  semantics.  Once  shown  that  these  two  properties  hold  we  have  proven 
that  M2  is  sound. 

7.2  Termination 

In  order  for  M2  to  be  a  sound  logic,  all  its  proof  terms  must  be  realizers,  that  is  that  once  applied 
to  arguments,  their  computation  eventually  terminates  and  return  the  appropriate  existentially 
quantified  witness  objects.  Recall  that  recursion  and  case  analysis  are  designed  in  order  to 
support  reasoning  by  induction  over  higher-order  encodings  in  M2  . 

It  is  obvious,  that  without  side  condition  (5.1)  on  Rctx  not  every  computation  terminates. 
For  example, 

fun  trans  E\  E2  =  trans  E\  E2 


has  type 

VT  :  tp.  V£i  :  term  T.  V£2  :  term  T.  3D  :  E\  =U  E2.  T 

but  it  is  not  a  realizer  for  this  theorem  because  it  will  never  terminate  once  applied  to  any  type 
T,  and  well-typed  terms  E\  and  E2.  Moreover,  this  claim  should  not  have  a  proof  at  all,  since  it 
is  clearly  false;  there  are  well-typed  terms  that  do  not  parallel  reduce  to  each  other.  Thus,  that 
all  recursive  functions  in  M2  terminate  is  a  necessary  precondition  for  the  soundness  of  M2  . 

Why  doesn’t  this  function  terminate?  It  doesn’t  terminate  because  in  the  recursive  call  the 
argument  vector  E\  E2  is  not  smaller  than  the  vector  of  arguments  the  function  is  initially 
called  with.  Instead,  we  must  require  for  it  to  be  strictly  smaller,  according  to  some  well- 
founded  ordering.  This  observation  is  the  fundamental  insight  which  allows  us  to  design  an 
appropriate  syntactical  criterion  for  side  condition  5.1.  Recall  that  in  Section  5.6.1  where  we 
introduced  the  rule  Rctx,  we  already  established  a  semantic  termination  condition.  In  essence, 
we  can  directly  apply  the  results  of  previous  work  by  Rohwedder  and  Pfenning  [RP96]  where 
they  analyze  lexicographic  and  simultaneous  extensions  of  the  subterm  ordering.  Other  more 
complex  terminations  orderings  are  still  work  in  progress. 

In  this  section  we  discuss  the  matter  of  termination  which  we  split  into  three  parts.  We 
first  impose  a  restriction  on  the  form  of  proof  terms  in  Section  7.2.1  before  we  define  a  syn¬ 
tactic  criterion  for  side  condition  5.1  in  Section  7.2.2.  We  then  argue  in  Section  7.2.3  that  the 
computation  of  any  proof  term  on  the  abstract  machine  is  always  terminating. 
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7.2.1  Syntactic  Restriction  on  Proof  Terms 


In  order  to  simplify  this  presentation,  we  pose  a  few  more  syntactic  restrictions  on  the  form  of 
proof  terms.  First,  we  consider  only  proof  terms  that  start  with  a  leading  fj,x  e  F.P  where  P 
itself  does  not  contain  any  other  occurrences  of  recursion  operators.  Therefore,  we  can  easily 
localize  the  occurrences  of  the  recursion  variable  x  in  the  proof  term.  Because  of  an  earlier 
restriction,  we  only  examine  proof  terms  which  are  in  the  ^-fragment  of  M  2.  Thus  we  can  easily 
analyze  all  complete  argument  vectors  in  the  recursive  calls  and  compare  them  to  the  originally 
given  one.  Unfortunately,  because  of  the  distributed  character  of  function  calls  arguments  might 
be  splattered  all  over  the  term.  It  goes  without  saying,  that  reasoning  about  proof  terms  in  this 
generality  is  extremely  complicated  and  convoluted.  Therefore  —  as  second  restriction  —  we 
also  restrict  the  form  of  recursive  calls. 

Typically,  a  recursive  call  is  expressed  via  a  list  of  declarations.  To  simplify  matters,  we 
only  consider  proof  terms  that  use  one  let  constructor  to  describe  each  recursive  call  and  each 
call  to  a  subroutine.  Naturally,  each  declaration  block  may  be  preceded  by  several  parameter 
block  introductions.  As  example,  consider  the  pbeta/pbeta-case  in  the  proof  of  the  diamond 
Lemma  3.7. 


dia  (pbeta  (Ax  :  term  T.  Xu  :  x  =>  x.  D[  x  u)  Dl2) 

(pbeta  (Ax  :  term  T.  Xu  :  x  x.  D\  x  u)  D2)  — 

let 

new  x  :  term  T,  u  :  x  =>  x 

val  (Pi  xu:P2x  u)  =  dia  (D{  x  u)  (D[  x  u) 

in 

let 

val  (Qi,  Q2)  ~  dia  Dl2  Dr2 
val  Pi  =  subst  Pi  Q\ 
val  E2  =  subst  P2  Q2 
in 

(Pi,  e2) 

end 

end 


The  first  application  of  the  induction  hypothesis  can  be  represented  in  M2  in  many  different 
ways,  but  for  the  purpose  of  this  thesis,  we  require  that  it  has  the  following  form  (we  omit  all 
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type  and  formula  annotations): 

let 

v  (x  :  term  T2,u  :  x  =t*  x)L. 
yi  =  dia  T] , 
y2  =  yi  Ei , 
y3  =  y2  e[  , 

y4  =  y3  E[, 
yr,  =  y-i  {D[  xu), 
yo  =  ys  (D\  xu), 

(E[ ,  y7)  =  ye, 

(A,ys)  =  yr, 

<^,yg)  =  y« 

in 


y l  - •  ■  y 9  are  only  auxiliary  variables  which  bind  partially  instantiated  proof  terms.  Throughout 
the  remainder  of  this  chapter,  we  only  consider  functions  in  which  are  of  this  form  and  in 
addition  which  never  reuse  any  of  the  auxiliary  variables  elsewhere  in  the  proof  term.  In  order 
to  have  a  convenient  form  of  revering  to  a  recursive  call  in  a  proof  term,  we  use  the  following 
shorthand  notation. 


v  (x  :  term  T2,  u  :  x  =4>  x)L .  (E[  x,  P\  xu.P2xv_)  =  dia  T,  E{  E[  E\  (D[  x  u)  {D\  x  u) 

It  seems  as  if  these  two  restrictions  limit  the  expressive  power  of  M.\'  This  is  not  true.  There 
are  two  reasons:  First,  the  subset  we  are  considering  is  certainly  superset  of  the  surjective  image 
of  the  naive  formulation  of  the  desugaring  function.  Thus,  our  termination  argument  applies 
to  every  function  that  we  can  write  down  in  ML-notation.  Second,  we  strongly  believe,  that 
any  program  P  E  F  can  be  transformed  into  a  program  Pr  E  F  which  lies  within  this  fragment 
of  exact  investigation  of  this  issue  is  left  to  future  research,  when  we  extend  termi¬ 

nation  orderings  beyond  extensions  of  the  subterm  ordering  and  allow  arbitrary  well-founded 
termination  orderings. 

7.2.2  Syntactic  Termination  Criterion 

We  begin  now  with  the  discussion  of  a  syntactic  termination  criterion  for  side  condition  (5.1).  As 
example,  consider  the  proof  of  diamond  Lemma  3.7.  The  corresponding  ATj”  function  expects 
six  arguments,  and  it  has  therefore  the  following  form: 

//dia.  AT  :  tp.  A E  :  term  T.  A E1  :  term  T.  A Er  :  term  T. 

AD1  :  E  =4  El.ADr  :  E  =4  Er .  . . . 

In  several  places  in  the  body  of  this  function  (indicated  by  ...),  dia  is  used  as  the  head  of  a 
recursive  call.  After  adding  syntactic  sugar,  the  recursive  calls  in  the  pbeta/pbeta  case  (see 
Figure  above),  for  example,  are  of  the  form 

dia  ( D\  x  v.)  ( D\  x  u) 
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and 

dia  Dl2  Dr2 

where  the  variables  in  the  head  of  the  function  have  been  instantiated  as  follows. 

T  =  Ti 

E  =  (app  (lam  Ei)  E2) 

El  =  {E[  El2) 

Er  -  \e\EI) 

Dl  =  pbeta  (Aa;  :  termT2.  Xu  :  x  =>  x.  D[  x  u )  Dl2 
Dr  —  pbeta  (Arc  :  termT2.  Xu  :  x  =^=>  #.  x  u)  D2 

Clearly,  the  argument  vector  decreases  with  each  recursive  call,  because  D[,Dl2  are  subterms  of 
D\  and  D\,D2  are  subterms  of  Dr .  The  same  observation  holds  for  all  other  occurrences  of 
recursive  calls,  and  therefore  dia  terminates  overall. 

In  this  work,  we  also  consider  simultaneous  and  lexicographic  extensions  of  the  subterm 
ordering.  Simultaneous  orderings,  on  the  other  hand,  also  extend  subterm  orderings.  The  proof 
of  the  diamond  lemma,  for  example,  satisfies  the  simultaneous  ordering  [Dl  Dr ]  which  means 
that  either  Dl  or  Dr  becomes  smaller  in  every  recursive  call.  But  unlike  for  lexicographic 
orderings  neither  Dl  nor  Dr  can  ever  become  bigger. 

Another  example  is  the  cut-elimination  theorem  for  classical  or  intuitionistic  logic.  It  requires 
a  termination  ordering  which  is  lexicographic  in  the  cut-formula  A,  and  simultaneous  in  the 
left  derivation  Dl  and  the  right  derivation  Dr  [Pfe95].  Formally,  this  ordering  is  written  as 
{A[Dl  Dr]}. 

For  mutually  recursive  functions  we  have  to  precisely  track  how  the  different  functions  call 
each  other.  We  do  this  by  introducing  positions  which  are  lists  of  variable  names,  bound  in  the 
different  mutually  recursive  parts  of  a  theorem,  as  we  used  it  for  the  proof  of  Lemma  4.11. 

Definition  7.7  (Termination  order) 

Position:  P  (aq, . . . ,  xn) 

Termination  order:  0  P  \  {Oi, . . . ,  On)  |  [Oi, . . . ,  On] 

For  simplicity,  we  omit  the  mutual  recursive  case  from  this  discussion.  It  is  entirely  orthog¬ 
onal  to  this  development  an  can  be  easily  added.  We  write  ‘order  (0,  M\ . . .  Mn)’  to  extract  the 
vector  of  significant  arguments  for  the  well-founded  ordering.  The  comparison  functions  ‘<o’ 
and  ‘<0’  on  those  vectors  are  defined  as  in  [RP96],  and  <o  is  well-founded  for  any  ordering  O. 
We  specify  a  syntactic  termination  condition  for  Rctx  inspired  by  [RP96]. 

Definition  7.8  (Termination  condition  for  Rctx)  Let  //x  G  F.  Arzq  :  A\.  . . .  Axn  :  An.P  a 
proof  term ,  0  a  termination  order ,  v  p\.  ...u  . ..  =  x  a  recursive  call  in  P, 

valid  in  A  and  ^  a  substitution  4/  h  tf)  E  X\  :  Ai, . . . ,  xn  :  An. 

We  say ,  that  this  recursive  calls  satisfies  the  termination  condition  if  and  only  if 

order  (0,  M\ . . .  Mn)  <o  order  (0,  x\ [ip] . . .  xn[ip]) 

One  important  property  of  Rohwedder  and  Pfenning’s  termination  order  is  that  the  well- 
foundedness  of  <o  is  preserved  under  substitution.  Formally,  if 

order  (0,Mi  ...Mn)  <o  order  (0,Xi[if] . . .  xn[ip]) 
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in  4;  then 

order  (O,  M\ [ij/] . . .  Mn[i//])  <o  order  (O,  x\ [/)  o  //] . . .  xn[ xj)  o  ^/]) 
for  all  'll/  for  which  4''  h  ij/  €  4'  holds. 

The  choice  of  the  termination  order  is  very  important  especially  for  automated  theorem 
proving.  It  dictates  the  general  form  of  the  induction  hypothesis.  To  see  that  the  proof  term 
dia  terminates,  for  example,  it  is  enough  to  check  all  recursive  calls  via  the  termination  order 
[Dl]  (see  Figure  4.4)!  For  proof  generation  on  the  other  hand,  we  can  use  the  termination  order 
to  encode  additional  information  about  recursive  calls.  There  are  infinitely  many  recursive  calls 
satisfying  [D1]  because  Dr  remains  unrestricted.  On  the  other  hand,  if  we  use  the  termination 
order  [Dl  Dr ],  there  are  only  very  few  recursive  call  satisfying  this  termination  order. 

7.2.3  Termination  Theorem 

With  the  syntactic  side  condition  specified  in  Definition  7.8.  all  recursive  functions  in 
are  terminating.  Under  the  regular  world  assumption,  a  program  is  computed  with  respect  to  a 
regularly  formed  parameter  context  4>.  Apart  from  this,  the  program  must  be  closed  with  respect 
to  meta-variables  and  LF-variables.  We  assume  that  all  meta-variables  acting  as  sub-routine 
calls  have  been  instantiated  by  terminating  proof  terms. 

The  proof  of  the  termination  theorem  is  based  on  the  following  idea:  We  record  the  argument 
vector  the  function  is  called  with.  When  the  abstract  machine  executes  a  recursive  call,  we  com¬ 
pare  it  to  the  argument  vector  of  the  recursion  variable.  By  unfolding  Condition  7.8  we  ensure, 
that  the  new  argument  vector  is  smaller.  In  addition,  in  all  other  situation  the  abstract  machine 
continues  by  executing  a  subterm  of  the  current  program  (or  a  list  of  cases)  and  therefore,  the 
computation  must  eventually  terminate. 

Theorem  7.9  (Termination)  We  consider  the  evaluation  of  a  function  of  type 
V.x'i  :  A\ .  ...  Vxn  :  An.  3yi  :  A\ .  ...  3ym  :  Afm .  T  applied  to  arguments  M i , . . . ,  Mn  in  a  pa¬ 
rameter  context  <3>.  The  termination  order  is  O  and  all  procedures  (used  as  lemmas)  terminate . 

1.  If  S  =  4>;  C  >  P  and  P  is  not  a  value 
then  S  =^>  $;C>V 

or  the  computation  terminates  prematurely. 

2.  If  S  =  &,C»(t,S) 

then  S  »  U 

or  the  computation  terminates  prematurely. 

Proof:  by  induction  lexicographically  on  ‘order  (O,  M\  . . .  Mn)'  and  (P(2)  and  f2(3)).  A  detailed 
proof  can  be  found  in  Appendix  C.  □ 

The  evaluation  of  any  program  which  —  syntactically  speaking  —  introduces  only  one  out¬ 
ermost  recursion  variable  and  whose  recursive  calls  and  appeals  to  lemmas  appear  only  in  their 
natural  form  (without  unnecessary  reuses  of  auxiliary  introduced  meta-variables)  must  termi¬ 
nate  given  that  side  condition  5.1  is  satisfied.  The  computation  may  still  terminate  prematurely 
because  of  an  inexhaustive  match  exception  from  a  case  statement,  but  from  the  results  discussed 
in  the  next  section  we  learn  that  this  cannot  happen. 
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7.3  Coverage 

In  this  section  we  show  that  the  evaluation  of  any  program  that  is  not  a  value  always  makes 
progress.  By  inspecting  the  transition  rules  defining  the  small-step  operating  semantics,  we  can 
easily  recognize,  that  all  but  three  rules  are  defined  in  a  way  that  they  must  make  progress.  For 
every  right  hand  side  of  such  a  transition  rule  there  is  another  rule  whose  left  hand  side  matches 
it.  Moreover,  for  every  program,  there  is  a  rule  that  matches  it.  The  three  exceptions  are  the 
rules  trcase,  tryes,  and  trno.  What  we  have  to  guarantee  is  that  once  trcase  is  applied,  there  is 
a  case  in  ft  which  triggers  tryes. 

What  would  happen  if  there  is  no  such  case  in  ft?  In  such  a  situation  trno  would  be  applied 
for  all  cases  in  ft  until  ft  =  •,  and  consequently,  the  evaluation  would  get  stuck  because  there 
is  no  rule  which  applies  to  an  empty  ft\  This  situation  must  never  occur.  It  would  violate  the 
important  progress  property. 

Thus,  we  need  to  show  that  given  side  condition  5.2  is  satisfied  ft  covers  all  possible  cases. 
We  first  introduce  the  notion  of  most  general  unifier  in  Section  7.3.1  whose  existence  is  crucial  in 
our  argument.  In  Section  7.3.2  we  specify  a  syntactical  and  machine  checkable  coverage  criterion 
for  side  condition  5.2,  and  finally,  we  show  in  Section  7.3.3,  that  every  program  that  satisfies 
this  syntactic  criterion  makes  always  progress. 

7.3.1  Motivation 

Our  coverage  analysis  relies  on  the  fact  that  canonical  forms  in  LF  are  inductive  [HHP93,  Coq91]. 
Since  every  well-typed  object  in  LF  possesses  a  canonical  form,  case  analysis  of  an  object  reduces 
to  inductive  reasoning  about  the  canonical  forms  of  its  type.  Unlike  in  Coq  or  Isabelle  where 
datatypes  are  defined  by  a  set  of  finitely  many  constructors  whose  type  satisfy  the  positivity 
condition,  the  situation  is  different  in  our  setting.  We  are  considering  arbitrary  higher-order  LF 
objects  well-typed  under  the  regular  world  assumption.  Our  design  is  sound,  because  we  know 
that  every  object  in  LF  has  a  canonical  form,  independently  if  it  is  a  function  or  not. 

To  illustrate  the  idea  behind  the  coverage,  we  return  to  Example  5.12,  and  observe,  that 
under  the  regular  world  assumption,  the  E  :  term  T  can  take  three  different  (most  general) 
forms: 

1.  E'  =  x  :  term  T 

2.  En  =  lam  (Xx  :  term  T\.  E\  x )  :  term  (T\  arrow  T2) 

3  _  app  ^  E2  :  term  7\ 

The  goal  of  coverage  is  to  decide,  if  the  list  of  cases  given  in  Example  5.12  really  covers  all  the 
cases  and  indeed,  intuitively,  in  this  situation  it  does.  Consider  the  following  list  of  cases  ft.  E! 
is  being  matched  by  the  first  case,  En  by  the  second,  and  Em  by  the  third. 

T  :  tp,  (x  :  term  T,u:x  =^>  x)L  D>T/T, x/E  ^  ... 

T\  :  tp,  T2  :  tp,  El  :  term  T\  ->  term  T2  t>(Ti  arrow  T2)/T,  lam  (Xx  :  term  T\.E\  x) /E^  . . . 

T\  :  tp,T2  :  tp,£?i  :  term  (T2  arrow  Ti), 

E2  :  term  T2  >Ti/T,  app  E\  E2/E  ^  ... 

But  how  exactly  do  we  decide  this  property?  The  answer  lies  in  the  proper  analysis  of 
generalized  substitutions  as  part  of  each  case  declared  in  ft.  For  this  purpose  of  this  example, 
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consider  an  environment  t]  (also  a  generalized  substitution),  where  we  presuppose  a  type  ‘nat,’ 
for  natural  numbers. 

(x1  :  term  nat.  u  :  x'  =U-  x')L  b  nat /T,x'/E  6  T  :  tp,  E  :  term  T 

To  see  that  the  first  case  covers  this  environment  one  has  to  provide  a  new  environment  7/,  such 
that  (T/T^x/E)  o  7/  —  77.  Indeed  such  an  environment  exists  and  it  has  the  following  form. 

( x {  :  term  nat,  u'  :  x 1  =U>  x')L  h  nat /T,  (x',  uf)/(x,  u)  €  T  :  tp,  (x  :  term  T.u:  x  =4*  x)L 

Therefore,  in  the  general  case  if  we  want  to  guarantee  that  a  list  of  cases  fi  contains  an  applicable 
case  (4>'  >  7/;  P)  we  have  to  ensure,  that  for  every  4/q  h  7//  £  4;,  there  exists  a  substitution 
4>o  b  such  that  0 

This  small  example  already  exhibits  several  important  aspects  of  our  design.  First,  the  list  of 
cases  from  Example  5.12  is  a  result  of  analyzing  cases  over  one  LF  object  E  :  term  T.  I11  general, 
this  need  not  to  be  the  case,  because  in  Example  5.13  we  distinguish  cases  over  two  LF  objects 
simultaneously.  Second,  pattern  matching  and  coverage  analysis  are  very  closely  connected 
to  generalized  substitutions,  their  decompositions,  and  as  we  will  discuss  below,  unification  of 
types.  Third,  our  coverage  criterion  excludes  impossible  cases.  For  example,  if  we  return  to 
the  formalization  of  the  diamond  Lemma  4.6  we  first  analyzed  four  cases  for  Dl ,  but  only  one 
for  Dr ,  namely  the  parameter  case.  We  deduced  from  typing  constraints  that  the  other  three 
candidates  for  Dr  cannot  occur. 

In  order  to  develop  a  formal  coverage  criterion,  we  must  develop  a  complete  algorithm  to 
generate  all  possible  forms  of  7//  above.  Our  algorithm  is  defined  by  iteration,  that  expects  one 
substitution  together  with  its  co-domain  as  input  and  generates  a  list  of  refining  substitutions. 

Starting  from  the  identity  substitution  kly  it  successively  applies  a  refinement  step  by  non- 
deterininistically  picking  one  variable  declaration  from  the  co-domain  of  the  current  environment, 
and  analyzes  its  forms  in  a  most  general  fashion.  The  result  is  a  set  of  generalized  substitutions 
describing  all  possible  shapes  of  4/. 

Intuitively,  the  algorithm  computes  a  list  of  “forms”  describing  the  most  general  form  of 
the  environment,  and  by  construction  the  coverage  criterion  is  guaranteed  to  be  satisfied.  The 
algorithm  terminates  if  the  following  criterion  is  satisfied:  every  substitution  in  the  returned 
from  the  algorithm  matches  some  case  in  ft. 

In  this  presentation,  however,  we  are  slightly  more  restrictive  and  expect  il  not  only  to 
match  the  set  of  substitutions  calculated  by  the  coverage  algorithm,  but  “to  be  equal”  to  it. 
That  means,  we  only  allow  JTs  whose  embedded  substitutions  can  be  generated  by  our  coverage 
algorithm.  This  restriction  can  be  easily  lifted,  but  because  we  are  predominantly  interested  in 
automation  of  case  analysis  we  leave  this  issue  to  future  work. 

The  workings  of  the  coverage  algorithm  is  best  illustrated  by  an  example.  First  we  consider 
the  identity  generalized  substitution: 

Tf  :  tp,  Ef  :  term  Tf  h  T'/T,  Ef /E  £  T  :  tp,  E  :  term  T 

What  are  the  possible  forms  of  Ef?  There  are  the  three  possibilities  as  already  mentioned  above. 
First  Ef  =  x: 

Tn  :  tp,  (rr  :  term  Tn,u  :  x  x)lj  h  x  :  term  T" 
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Since  E'  =  x,  their  types  must  be  convertible  (term  T'  =  term  T"),  and  therefore  T"  =  T'\ 

T"  :  tp,  (x  :  term  T",  u  :  x  =U  x)L  h  T" /T,  x/EgT  :  tp,  E  :  term  T 
The  second  possibility  is  that  E  is  instantiated  with  a  term  starting  with  lam. 

T”  :  tp,  T!j  :  tp,  E"  :  term  T"  — *  term  T”  h  lam  (Xx  :  term  T".  E" x)  :  term  (Tf  arrow  T’fi) 

By  using  the  same  argument  as  above,  we  obtain  that  E  =  lam  (Ax  :  term  T\.E"x),  and  that 
the  T  =  Tj"  arrow  T". 

T”  :  tp,  T"  :  tp,  E"  :  term  T”  —>  term  I  'X 

h  (Tj"  arrow  T")/T,  (lam  (Ax  :  term  T”.  E"x))/E  e  T  :  tp,  E  :  term  T 

The  third  substitution  for  E  —  app  E\  E->  follows  from  a  similar  argument.  It  is  easy  to  see 
that  all  substitutions  are  strict  in  their  co-domain. 

When  we  compare  E  :  term  T  and  lam  (Ax  :  term  Tj".  E"x)  :  term  (T{'  arrow  Tj')  we 
conclude  T  =  T"  arrow  T" .  Technically  speaking,  the  operation  hidden  behind  this  comparison 
is  unification.  It  cannot  be  matching,  because  in  a  different  example  E’s  type  might  be  more 
constrained.  For  example  it  could  be  E  :  term  ((7\  arrow  T2)  arrow  T3),  and  then  T"  = 
(Ti  arrow  T2)  and  T”  =  T3. 

The  second  case  of  this  example  exhibits  that  the  unification  problems  in  question  are  cer¬ 
tainly  not  first-order,  but  higher-order  due  to  the  higher-order  character  of  the  underlying  rep¬ 
resentation.  Higher-order  unification  problems  are  in  general  undecidable  [Hue73],  and  therefore 
we  must  restrict  our  considerations  to  problems  which  are  decidable  namely  those  which  guar¬ 
antee  the  existence  of  one  most  general  unifiers.  Certainly,  one  can  generalize  this  work  to 
unification  problems  that  have  finite  complete  sets  of  general  unifiers,  but  in  all  our  experiments 
the  a  one  element  complete  set  of  general  unifiers  suffices. 

Most  unification  problems  we  are  dealing  with  lie  in  fact  in  the  Miller’s  pattern  fragment 
[Mil91]  which  guarantee  most  general  unifiers  if  they  exist,  but  some  of  our  unification  problems 
fall  outside  the  pattern  fragment.  Those  unification  problems  have  in  our  experience  non  pattern 
occurrences  of  the  form  “existential  variable  applied  to  existential  variable” ,  but  in  most  cases 
they  are  still  decidable  by  reordering  the  unification  goals,  in  a  way  very  similar  to  the  way  how 
we  extended  pattern  matching  to  strict  matching  in  Section  6.4.2.  Unlike  in  matching,  even  if 
all  existential  variables  occur  in  some  strict  position  in  the  unification  problem,  it  still  need  not 
guarantee  decidability.  This  is  clearly  exemplified  by  the  following  example 

c  Xi  X2  Mi  M2  (Xi  Mi)  »  c  Yi  Y2  Ni  N2  (Y2  N2) 

where  ‘c’  is  a  constant  and  Xi,  X2,Mi,M2,  Yi,Y2,  Ni,N2  are  existential  variables,  all  occurring 
in  strict  positions  in  this  equation.  It  is  easy  to  see,  that  this  unification  problem  does  not  have 
a  most  general  unifier  because  it  reduces  to  a  flex-flex  pair  X\  M\  &Y2N2. 

Therefore,  we  restrict  the  following  discussion  to  unification  problems  for  which  most  general 
unifiers  exists.  In  addition,  we  expect  the  each  variable  in  the  co-domain  of  the  unifying  sub¬ 
stitution  occurs  strictly  in  it,  otherwise  we  might  not  be  able  to  execute  the  proof  term  on  our 
abstract  machine.  This  is  not  just  a  technical  restriction  but  it  also  has  practical  consequences. 
Case  analyses  which  fall  outside  this  fragment  are  simply  not  valid  in  and  can  hence  not  be 
expressed.  In  this  work  we  do  not  present  a  unification  algorithm  for  this  fragment,  we  merely 
presuppose  the  existence  of  most  general  unifiers. 
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Definition  7.10  (Unifiers)  We  follow  standard  practice  and  write  M\  ~  M2,  and  A\  «  A2 
for  equations  describing  a  unification  problem  TV.  tj)  is  a  solution  for  TV  if  M\[i/)\  =  M 2  [ip\  for 
each  equation  M\  «  M2  G  TV  and  A\[ij)]  =  ^2[V;]  /or  each  equation  A\  «  A2  G  TV.  Formally,  we 
write  xp  G  unify  (TV).  We  say  that  a  is  a  most  general  unifier  of  N  if  for  every  other  solution 
ip,  there  exists  a  ipf  s.t.  a  oxpf  —  xp.  Formally  we  write  a  G  my?/  (TV). 


We  return  to  the  proof  of  the  substitution  Lemma  4.5  in  order  to  determine  the  exact  form 
of  the  unification  problem.  It  clearly  shows  how  declarations  of  functional  type  must  be  split. 
We  consider  a  snapshot  of  the  context  shortly  before  the  case  analysis  over  D\  takes  place. 

T\  :  tp, T2  :  tp, :  term  T2  — >  term  T\,E[  :  term  T2  term  T\,E2  :  term  T2, E!2  :  term  T2, 

D[  :  Ily  :  term  T2.  y  y  (E\  y)  (E[  y),  £>2  :  #2  ==>  E’2 

D\  is  of  functional  type.  What  possible  forms  can  it  take?  We  extract  this  list  from  the  proof 
term  from  Figure  4.3. 


D™ 
d[2) 
D® 
D S4) 

Df] 


:  II y  :  term  T2.  y  =^>  y  — »  x  =>  x 

—  X y  :  term  T2*  A?;  :  y  =>  y.  u 

:  Ily  :  term  T2.  y  =>  y  — >  y  y 

—  Ay  :  term  T2.  Xv  :  y  y.  v 

■  n y  :  term  T2.y  =4  «/->  (app  (lam  {Xz.Ei  y  z))  (E2  y))  =U  (E\  y  (E!2  y)) 

=  Ay  :  term  T2.  Xv  :  y  y.  pbeta  (A. 7:  :  term  T\ .  Xu  :  x  x.  D\  y  v  x  u)  (D2  y  v) 

:  Ily  :  term  T2.  y  =>  y  -x  (lam  (A z.  E\  y  z))  (lam  ( Xz .  E[  y  z)) 

=  Ay  :  term  T2.  Xv  :  y  ==>  y.  plain  (A:r  :  term  Tj .  Xu  :  x  £>1  y  ?;  u) 

:  n y  :  term  T2.y  =5=>  y  -4  (app  (£1  y)  {E2  y))  =4-  (app  (£{  y)  (E2  y)) 

=  Ay  :  term  T2.  A?;  :  y  y.  papp  (Th  y  v)  (D2  y  v) 


The  variables  marked  with  a  hat  such  as  E  and  D  are  new.  Going  back  to  the  algorithm,  which 
splits  variables  from  the  co-domain  of  a  substitution,  we  must  therefore  pay  special  attention  to 
variables  of  functional  type.  Also  in  this  example,  we  initialize  the  coverage  algorithm  with  the 
identity  substitution. 

Ti  :  tp, T2  :  tp,  Ei  :  term  T2  — »  term  T\,E[  :  term  T2  — >•  term  T\,E2  :  term  T2 ,  Ef2  :  term  T2 , 

Di  :  Ily  :  term  T2.  y  =k>  y  -4  {E\  y)  =4  (E[  y),  D2  :  E2  =4  E2 
h  T]/Tj ,  T2/T2,  E, /E\ ,  E[/E[ ,  E2/E2,  E2/E2,  D\ /Dx ,  D2/D2 

€  Ti  :  tp, T2  :  tp,  2?i  :  term  T2  -4  term  Ti .  EJ  :  term  T2  -4  term  TX,E2  :  term  T2,  jE^  :  term  T2, 
Di  :  Ily  :  term  T2.y  =^>  y  -4  (Ei  y)  (£',  y),U2  :  E2  E2 

The  coverage  algorithm  picks  D\  for  splitting,  and  from  its  type  it  deduces,  that  there  are 
two  local  parameters,  y  :  term  T2  and  v  :  y  =^=>  y  which  may  occur  free  in  its  body.  This 
means,  that  when  we  consider  refining  D\  to  app  D\  D2  we  must  let  D\  and  D2  depend  on  y,  v\ 
Therefore,  we  rely  on  another  algorithm  which  raises  the  types  of  the  arguments  by  introducing 
those  new  dependencies.  According  to  its  intention,  the  algorithm  is  called  raising.  Given  the 
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type  A  of  a  constructor,  raise  (T,  A)  generates  a  list  of  raised  argument  variables  in  form  of 
a  generalized  context  and  a  refined  target  type.  Note,  that  in  order  to  execute  raising  on  the 
LF  level  we  actually  invoke  the  abstraction  function  defined  in  Section  6.2.2  which  accounts  for 
subordination.  In  the  example  of  papp  above, 

raise  ( y  :  term  T2,v  :  y  ==>  y, 
nt i  :  tp.  Ilt2  :  tp. 

nei  :  term  (£2  arrow  t\).  Iie\  :  term  (<2  arrow  t\).  ne2  :  term  1 2.  Ile^  :  term  t2. 
e\  e[  ->  e2  e'2  -*  (app  ex  e2 )  =^>  (app  e\  e'2)) 

=  T\  :  tp,  T2  :  tp, 

E\  :  term  T2  — >  term  (T2  arrow  T\ ) ,  E[  :  term  T2  — >  term  (T2  arrow  Ti), 

E'2  :  term  T2  — >  term  T2 ,  E2  :  term  T2  — >  term  T2, 

Di  :  TTy  :  term  T2.y  =b  y -*  (Ex  y)  (E[  y), 

D2:Uy  :  term  T2.  y  =4-  y  — >■  {E2  y)  =>  [E2  y) 

>  (app  {Ei  y )  (E2  y))  =U  (app  (E[  y)  (E'2  y)) 

As  discussed  already  the  subordination  relation  satisfies  that 

term  ^  tp 
arrow  ^  tp 
arrow  ^  term 

and  therefore 

H(y  :  term  T2,v  :  y  =^>  y).tp  =  tp 

n(y  :  term  T2,v  :  y  y).  term  T2  =  term  T2  — ►  term  T2 

which  explains  the  form  of  the  raised  version  of  the  type  of  papp.  In  general,  raising  is  defined 
by  the  judgment 

Raising:  'Ll  h  raise  (r,  Ai)  =  (T2  >  A2) 

and  two  rules  specify  the  behavior  of  the  raising  algorithm. 

- raisebase 

$  h  raise  [T,B)  =  (•  >  nr .B) 

'Ll,  2:  :  nr.  Ai  I-  raise  (r,  A2[a:  T/x ])  =  (T2  >  A') 

- : — ; - - raisepi 

'Ll  I-  raise  (r,  Tlx  :  Ai.  A2)  =  {x  :  nr.  Ai,  ^2  >  A') 

Lemma  7.11  (Properties  of  Raising) 

PhM:A 

and  \L  h  raise  (r)A  =  (\L'  i>  B) 
then  <L,  <L'  I-  Ar.  M  (<L'  T)  :  nr.  B 

Proof:  by  induction  on  A.  □ 

Once  the  raised  version  of  papp  is  calculated,  we  have  to  unify  the  originally  picked 
Di-.Tly.  term  T2.y  =4  y  ->  (Ei  y)  =4  {E[  y) 
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with  the  refined  version  (where  we  are  overly  explicit  in  the  arguments  applied  to  the  constant). 

A y  :  term  T2.  \v  :  y  =4  y.  papp  fj  f2  (Ey  y )  {E[  y)  (E2  y)  (E2  y)  {D\  y  v)  (Dy  y  v) 

:  Ily :  term  T2.  y  =4  y  (app  {E\  y)  (E2  y))  =4  (app  (E[  y)  (E2  y)) 

As  result  we  obtain  the  following  two  equations: 

D\  ^  A y  :  term  T2.  At>  :  y  y. 

papp  f,  f2  (Et  y)  (E|  y)  (E2  y)  (E'  y)  (7.1) 

{Dy  y  v)  (D i  y  v) 

Ily  :  term  T2.  y  =4  y  ~  Uy  :  term  T2.  y  =4  y  ,7 

->•  (£i  y)  =4  (E'  y)  ~  (app  (El  y)  (E2  y))  =4  (app  (Ej  y)  (E'  y)) 

Equation  (7.1)  binds  £)],  and  Equation  (7.2)  expresses  that  the  types  of  both  participating 
objects  must  be  unifiable. 

In  this  situation,  the  unification  problem  has  one  most  general  solution.  We  show  a  version 
of  the  solution  substitution  whose  domain  equals  the  co-domain  of  the  substitution  modeling 
the  environment  we  have  originally  started  with. 

fy/Ty,T2/T2,{*pp  (Ey  y)  (E2  y))/E,,  (app  (E[  y)  (E'  y))/Ej,E2/E2,E'/E', 

=  Ay  :  term  T2.  An  :  y  =4  y.  papp  Tj  f2  (E|  y)  (E(  y)  (E2  y)  {E2  y)  (D\  y  v)  (Dy  y  v)/Du 

d2/d2 

The  co-domain  of  this  substitution  can  now  be  easily  read  out  of  substitution  itself. 

^  —  Ti  :  tp,  T2  *  tp,  T2  :  tp, 

E\  :  term  T2  — >  term  (T2  arrow  Ti),  :  term  T2  -4  term  (T2  arrow  T\), 

£2  :  term  T2  -4  term  T2,  ^  :  term  T2  -4  term  T2, 

Z?2  :  term  T2 .  Er2  :  termT2, 

A  :  Ily  :  term  T2.y  =4  y  (E)  y)  =4  (Ej  y), 

E2  :  Ily  :  term  T2.  y  =4  y  (E2  y)  =4  (E^  y), 

D2  :  E2  =4  E' 

Note  that  by  construction  is  strict  in  ij)  as  required.  We  want  to  stress,  that  while  not  all 
variables  are  involved  in  the  unification  operation  their  types  might  be.  The  substitution  ?/>,  for 
example,  acts  as  identity  on  T2,  #2,  El2  and  Z)2,  and  the  change  in  types  is  best  observed  directly 

in  the  proof  of  the  diamond  Lemma  4.6.  There,  while  splitting  the  left  reduction  of  E  =>  El , 
case  analysis  instantiates  E  with  another  term,  e.g.  a  parameter  x  in  the  global  parameter  case, 
and  therefore  the  type  of  the  right  reduction  Dr  :  E  Er  changes  to  Dr  :  x  =4  ET  —  even 
though  Dr  itself  does  not  change.  New  information  acquired  during  case  analysis  may  therefore 
be  recorded  in  the  types  of  other  assumptions. 

Back  to  our  example.  One  can  easily  verify  that  the  substitution  ^  is  most  general.  Given 
any  solution  77  of  the  unification  problem  specified  by  Equation  (7.1)  and  Equation  (7.2),  it  can 
be  rewritten  as  o  7/.  As  a  matter  of  fact,  this  observation  already  provides  the  basic  insight 
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into  our  coverage  argument,  and  the  reader  is  invited  to  look  out  how  this  fact  is  used  in  the 
proof. 

Naturally,  in  general,  the  unification  problem  may  not  have  a  solution.  There  are  a  few 
ways  how  unification  in  Equation  (7.2)  can  fail:  There  can  be  a  constant/constant  clash,  a 
constant /variable  clash  (where  the  variable  is  locally  bound  in  the  term),  a  constant /parameter 
clash  (where  the  parameter  is  represented  by  a  parameter  variable  in  the  generalized  context)  a 
variable/ variable  clash,  a  variable/parameter  clash,  or  a  parameter/parameter  clash.  If  any  of 
these  clashes  should  occur  when  analyzing  cases,  one  can  be  sure  —  because  of  the  uniqueness 
of  typing  —  that  the  affected  case  does  not  apply.  The  user  is  invited  to  himself/ herself,  that 
the  algorithm  also  returns  the  other  four  substitutions  necessary  to  cover  D^\  . . . ,  . 

In  summary,  we  have  motivated  an  algorithm  to  compute  a  complete  list  of  substitutions 
which  describe  all  possible  instantiations  of  any  generalized  context  In  the  next  section  we 
formally  define  this  algorithm  in  form  of  a  syntactical  criterion  for  side  condition  5.2,  and  in 
Section  7.3.3  we  prove,  that  it  indeed  guarantees  correctness.  owes  the  feasibility  of  this 
approach  to  the  logical  framework  LF  and  pattern  unification,  in  particular,  the  existence  of 
canonical  forms,  and  the  the  existence  of  most  general  unifiers. 

7.3.2  Coverage  Condition 

We  begin  now  with  the  formal  presentation  of  the  coverage  algorithm.  The  goal  is  to  establish  a 
criterion  on  the  case  rule  that  guarantees  that  any  program  of  the  form  ‘case  (ip\  5)  of  IT  covers 
all  possible  cases.  For  the  sake  of  this  exposition,  we  are  very  restrictive  about  the  form  of  ft] 
specifically,  we  require  that  all  cases  in  ft  are  in  one-to-one  correspondence  with  the  outcome  of 
the  coverage  algorithm  sketched  in  the  previous  section.  The  reason  is,  that  the  implementation 
described  in  Chapter  8  follows  the  outline  of  this  algorithm  to  generate  cases  hereby  trivially 
guaranteeing  its  correctness.  On  the  other  hand,  one  can  easily  extend  this  criterion  to  check  if 
a  given  set  of  cases  really  covers  all  possibility,  but  we  leave  this  issue  to  future  investigation. 

Recall  that  ft  is  defined  as  a  list  of  cases,  and  each  case  has  the  form  ($  >  ip  P).  For 
this  discussion  the  form  of  the  different  P’s  is  unimportant.  What  is  important  are  the  'L’s  and 
the  'ip's,  the  main  players  in  the  coverage  algorithm  sketched  above.  As  we  will  see  below,  the 
outcome  of  the  algorithm  is  guaranteed  to  cover  all  cases,  and  thus  we  introduce  as  an  auxiliary 
construct  a  list  of  pairs  (\k  >  /ip)  which  we  call  a  cover  for  ft. 

Cover:  u  ::=  •  |  u,  (\I>  >  ip) 

Next,  we  formalize  the  coverage  algorithm.  Several  judgments  are  involved  in  its  definition  and 
we  discuss  each  one  and  its  implementation  in  turn.  According  to  the  canonical  form  theorem, 
there  are  three  possible  head  constructors  for  each  object  of  a  type;  a  constant  defined  in  the 
signature  (Constant  Coverage),  a  local  parameter  introduced  by  a  A-binder  in  the  case  that  it 
is  a  function  (Local  Parameter  Coverage),  or  a  global  parameter  which  is  part  of  the  parameter 
context  (due  to  the  regular  closed  world  assumption).  All  three  cases  are  treated  in  a  very  similar 
way,  special  attention  has  to  be  paid  to  the  last  case:  The  form  of  parameter  contexts  is  regular, 
and  it  is  inductively  described  by  context  schemas;  context  schemas  consist  of  several  context 
blocks,  and  each  context  block  of  several  BLOCK-declarations.  Every  possibility  has  to  be 
accounted  for,  that  means  we  have  to  traverse  and  examine  each  declaration  in  every  BLOCK- 
block  (Global  Parameter  Coverage)  of  the  specified  context  schema  (Schematic  Coverage). 
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There  are  two  special  judgments  combining  partial  coverage  results;  first,  there  is  'single 
coverage’  which  combines  the  results  of  splitting  one  single  variable,  and  there  is  a  judgment 
that  allows  the  algorithm  to  successively  and  non-deterministically  pick  one  variable  from  the 
co-domain  of  an  already  computed  cover  and  split  it.  The  result  is  a  new,  further  refined  cover. 

Judgments 


Constant  Coverage : 

Local  Parameter  Coverage: 
Global  Parameter  Coverage: 
Schematic  Coverage : 

Single  Coverage : 

Multiple  Coverage: 


i ;  x  :  nrT.  Bx ;  ^  cover 

T{ ;  x  :  npr.  By  vpo  cover 

SStyx  :  IIIV  By  ^2;  p*>  u)  cover 

Ti;  x  :  nr,..  By,  cover 

$  hw  cover 
4/  b  u)  cover* 


These  six  judgments  specify  the  coverage  algorithm  and  its  operational  meaning  is  defined 
by  inference  rules.  The  first  three  judgments  are  defined  by  three  rules  each.  For  example,  there 
is  a  rule  (whose  name  ends  in  empty)  for  the  empty  signature,  the  empty  local  context,  and 
the  empty  BLOCK-block.  Depending  on  if  a  most-general  unifier  can  be  determined  using  the 
construction  sketched  above,  there  is  a  rule  (whose  name  ends  in  unify)  which  adds  a  new  entry 
to  the  cover.  If  a  most-general  unifier  does  not  and  cannot  exist  there  is  a  rule  (whose  name  ends 
in  skip)  which  skips  ahead  and  examines  the  next  constant/local  parameter/global  parameter. 

As  representation  invariant,  in  first  two  and  the  fourth  judgment,  4>i  yx  :  Iirx.  2?r,  i'2  is  a 
valid  generalized  context,  and  x  is  the  assumption  for  which  cases  are  to  be  considered.  Similarly, 
in  the  third  judgment,  T 1 ;  2;  :  UTX.  By  $2?  is  a  valid  generalized  context.  What  exactly  4/3 
stands  for  will  be  discussed  below. 


Rules  for  Constant  Coverage 

The  left  hand  side  of  the  judgment  for  constant  coverage,  consists  of  three  parts.  I11  fact,  if  one 
replaces  the  by  a  V  the  left  hand  side  forms  a  general  context.  Enclosed  by  the  two  is 
the  declaration  which  we  want  to  split  over.  The  HTX.  Bx  is  a  short  hand  for  the  type  of  x  that 
may  be  a  functional  introducing  local  parameters  Tx  =  y\  :  A\ , . . . ,  yn  :  An.  If  we  were  perfectly 
explicit,  we  would  write 

nrr.  Bx  =  n?/i  \  A\. ...  n yn :  An.  bx 

where  Bx  is  atomic,  i.e.  not  a  function  type. 

The  E  in  between  the  h  and  the  »  is  the  structure  we  are  examining  for  possible  head 
constructors  of  x.  For  constants,  it  is  the  signature,  for  local  variable,  it  is  some  context  F,  and 
for  global  variables  we  simply  use  a  variable  block.  Finally,  u  is  being  returned,  if  we  attach  an 
operational  (bottom-up)  reading  to  the  rules.  Therefore,  if  E  =  *,  the  returning  cover  will  be 
empty. 

- ccempty 

4>i;  x  :  mV  By  $2  F  •  »  *  cover 

The  two  following  rules  are  best  described  by  their  operational  interpretation.  The  coverage 
algorithm  examines  a  non-empty  signature  E,c  :  nFr.Rc.  In  the  example  above,  c  would  be 
papp,  and  Iirc.  Bc  its  type.  Is  c  a  valid  head  constructor  for  x?  The  answer  is  yes,  as  long  the 
type  of  c  after  raising  it  and  applying  it  to  the  right  argument  (exactly  the  same  way  as  we  have 
sketched  it  in  the  previous  section)  and  the  type  of  x  have  a  most  general  unifier.  We  write  4/' 
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for  the  new  set  of  variables  which  are  the  co-domain  of  the  substitution.  correspond  to  the 
list  of  variables  marked  by  a  hat  as  the  outcome  of  the  raising  operation  in  the  previous  section. 
If  such  a  unifier  exist,  we  call  it  ip,  then  we  calculate  a  cover  u>  for  the  remaining  signature  E, 
and  return  u,  ('L'  >  ip). 


Ti;  x  :  nr*.  Bx ;  ^2  S  >  w  cover 

- ccunify 

'Ll;  a;  :  mV  Bx;  L2  b  E,c :  UTC.BC  w,  (L'  >^>|$)  cover 

l  =  *ux :  nr*.£*,L2 

l  b  raise  (r*,  nrc.  bc)  =  (lc  >  nr*.  b'c) 

l'  b  =  mgu  (nr*.  bx  a  nr*.  b'c,  x  «  Ar*.  c  (lc  r*)) :  l,  lc 

4''  b  (•  >  ip)  strict 

In  addition,  we  require  that  the  new  general  context  L'  is  strict  in  ip.  We  are  very  much 
convinced,  that  the  way  we  have  implemented  unification  in  Chapter  8  only  returns  pairs  (\I Y>ip) 
that  are  strict,  but  because  we  do  not  present  the  unification  algorithm  in  this  thesis,  we  stipulate 
strictness  as  a  requirement,  until  we  will  have  described  the  unification  algorithm  in  future  work. 
Should  there  be  a  non-strict  substitution  as  result  of  the  unification  operation,  there  cannot  be 
a  cover. 

Dually  to  this  rule,  if  the  unification  algorithm  fails  because  of  a  clash,  we  simply  return  the 
cover  u)  calculated  for  the  remaining  signature  E. 

Li;  x  :  nr*.  Bx\  $2  b  E  >w  cover 

* - ccskip 

'Ll;  x  :  nr*.  Bx\ L2  b  S,  c  :  nrc.  Bc  u>  cover 

l  =  ;  nr  *.r*,l2 

l  b  raise  (r*,  nrc.  bc)  =  (lc  >  nr*.  b'c) 

nr*.  Bx  ~  nr*.  B'c,  x  «  Ar*.  c  (Lc  r*)  do  not  unify 

If  the  unification  problem  fails  for  other  reasons  but  a  clash,  the  coverage  algorithm  will  not 
return  an  answer.  Non-strict  substitutions  ip'  and  non-clash  failures  are  a  strong  indication,  that 
it  cannot  be  decided  if  a  unification  problem  has  most  general  unifiers  or  not. 

Rules  for  Local  Parameter  Coverage 


The  rules  for  local  parameter  coverage  cover  cases  such  as  in  the  example  in  the  previous 
section.  Di  can  be  of  the  form  of  a  function,  which  uses  the  locally  introduced  argument  v  in 
the  body. 

:  By  :  term  T2.  y  =k>  y  -»  y  =4  y 
=  A y  :  term  T2.  Xv  :  y  y.  v 

From  the  perspective  of  the  coverage  algorithm,  semantically,  there  is  no  difference  between  a 
constant  and  a  locally  introduced  parameter.  The  parameter  is  essentially  seen  as  a  dynamically 
introduced  constant,  and  this  view  is  reflected  in  the  three  rules  below.  The  left  hand  side  of  the 
b  symbol  in  the  judgment  for  local  parameter  coverage  is  the  generalized  context,  which  exposes 
the  variable  x  and  its  type  nr^.i^.  As  above,  x  is  instantiated  by  an  object  that  expects  as 
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arguments  Tx.  The  algorithm  considers  all  cases  with  parameters  declared  in  Tx  as  head.  Thus, 
the  judgment  iterates  through  T*  and  in  order  to  avoid  confusion,  we  denote  the  intermediate 
versions  of  this  context  with  F.  If  F  is  empty,  an  empty  cover  is  returned. 

- Icempty 

\&i;  x  :  IK1*.  Bx ;  4*2  F  *  •  cover 

If  T  is  not  empty  but  contains  a  declaration  of  a  parameter  p  :  UTp.  Bp ,  then  we  use  exactly  the 
same  technique  as  above,  by  raising  p’s  type  by  T*  and  trying  to  unify  the  types.  Should  the 
unification  process  terminate  successfully,  with  a  strict  most  general  unifier  and  co-domain 
4/',  we  proceed  as  above  and  return  an  extended  cover. 

4/i;  x  :  MV  Bx ;  ^2  F  T  »  ce  cover 

- : - Icunify 

Vl/i;  x  :  IIT*.  Bx ;  4>2  F  T,p  :  IIF^.  Bp  »  cu,  (4/;  t>  ?/;k)  cover 

$  -  :  nr*. B*, 4>2 

^  F  raise  (r*,  UTp.  Bp)  =  (4^  t>  Iir*.  R' ) 

f  =  mgu  (nr*.  «  nr*.  Bfp, x  &  \r x.p  {^p  r*)) :  4>,  4^ 

4/'  F  (•  0  %j))  strict 

Should  such  a  unifier  not  exist  (and  again,  unification  must  have  failed  with  some  kind  of  clash 
indicating  that  it  is  really  impossible  to  unify  these  two  types)  then  the  coverage  algorithm 
returns  the  cover  it  has  calculated  for  the  remaining  list  of  parameters. 

4^;  x  :  Iir*.  Bx\  $2FT>w  cover 

- Icskip 

4>i;  x  :  nr*.  Bx;  T2  F  T,p  :  HTp.  Bp  cj  cover 

$  -  *1,® :  nr*.s*,®2 

®  F  raise  (r*,  UTp.  Bp)  =  (4^  >  nr*.  Bp) 

nr*.  Bx  «  nr*.  5^,#  «  XTx.p  (4^  r*)  do  not  unify 

With  these  two  operations  and  under  the  closed  world  assumption,  we  can  already  calculate  a 
complete  cover  if  we  split  a  variable  of  arbitrary  type. 

Rules  for  Global  Parameter  Coverage 


Under  the  regular  world  assumption,  however,  we  must  also  consider  the  case  that  x  :  nr*.  Bx 
is  instantiated  with  a  parameter  from  the  parameter  context.  Recall,  that  these  parameter 
contexts  are  in  general  finite,  but  arbitrarily  long,  and  therefore  it  is  infeasible  to  introduce  a 
case  for  each  possible  parameter  from  the  parameter  context.  I11  Section  4,  we  have  motivated 
that  under  the  regular  world  assumption,  parameter  contexts  are  regularly  formed,  and  each 
parameter  block  is  an  instance  of  one  of  finitely  many  block  schemas.  I11  addition,  we  have 
introduced  a  new  variable  concept  that  can  range  over  those  blocks,  and  we  called  them  variable 
blocks  p .  The  regular  structure  of  parameter  contexts  is  a  priori  defined  by  the  context  schema, 
which  is  part  of  any  general  formula.  Thus,  with  the  help  of  the  context  schemas  and  variable 
blocks,  we  can  in  fact  examine  coverage.  Since  we  know  that  the  parameter  context  is  regularly 
formed,  we  simply  examine  each  possible  block  schema,  and  observe  if  it  contains  a  parameter 
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which  might  be  the  head  of  a;!  In  the  example  from  the  previous  section,  for  example,  the  body 
of  x  could  be  u. 

d{1^  :  II y  :  term  T 2.  y  y  x  x 

—  Xy  :  term  T2.  Xv  :  y  y.u 

Therefore,  it  should  not  come  as  a  surprise,  that  the  structure  of  the  rules  for  global  parameter 
coverage  resemble  the  two  blocks  of  rules  already  discussed.  The  only  difference  is  that  in  these 
rules,  we  range  in  addition  over  a  variable  block,  and  check  each  single  declaration. 

- gcempty 

®i;  x  :  mV  Bx ;  $2;  ^3  I-  •  »  •  cover 

Because  of  the  form  of  context  blocks  and  additional  dependencies,  we  augment  the  left  hand 
side  of  the  judgment  with  a  third  partial  generalized  context  T3,  which  captures  all  SOME- 
variables,  and  the  entire  variable  block  itself.  We  need  Vl/3,  because  4/,  4/3  h  flF g.Bg  :  type; 
otherwise  the  appeal  to  raise  type  in  the  side  condition  below  is  not  well-formed. 

Consider  the  case  that  g  :  Iir^.  Bg  is  one  of  the  parameter  variables  declared  in  p.  Following 
the  two  sets  of  rules  above,  we  make  all  arguments  of  g  dependent  on  rx,  and  then  try  to  unify 
the  raised  base  type  of  g  with  Iirx.  Bx.  If  the  unification  algorithm  returns  with  a  most  general 
and  strict  substitution,  we  return  the  new  cover. 

x  :  HTX.  Bx\  ^2;  $3  I"  p  >  w  cover 

- gcunify 

$1;®  :  nrx..Bx;  T2;T3  I-  p,g  :  nr9.  Bg  »  w,  (T'  t>  ip\y)  cover 

$  =  $1,® :  nr*.Bx,®2 

^3  b  raise  (Tx,  nrg.  Bg)  =  >  nrx.  Bg) 

$'hip  =  mgu  (nr*.  bx  «  nrx.  B'g ,  x  «  Arx. g  (<ng  rx)) :  tf,  ®3, 

T'  h  (•  >  V’)  strict 

And  exactly  as  above,  if  the  unification  fails,  g  cannot  be  the  head  of  the  x,  and  therefore  we 
do  not  have  to  add  it  to  the  cover. 

^i\x  :  UTX.BX^2^3  b  P  »  cj  cover 

- gcskip 

:  UTx.Bx;^2]^s  b  9,9  :  nr  g.Bg  »  u)  cover 

®  -  ^1,®  :  UTx.Bx^2 

^3  b  raise  (r*,my  Bp)  -  >  IHV  B9g) 

nr X.BX  «  nrx.jB',rc  «  Arx.#  (4^  rx)  do  not  unify 


Rules  for  Schematic  Coverage 

Unlike  the  two  first  set  of  rules,  the  coverage  algorithm  must  also  traverse  the  context  schema, 
and  check  each  block  schema  if  it  contributes  new  cases.  In  most  of  our  examples,  we  dealt 
only  with  one  context  block,  but  in  practice,  theorems  are  very  likely  to  rely  on  many.  We 
have  already  seen  in  Section  4.2.3  one  example  of  multi-block  context  schemas,  when  we  added 
polymorphism  to  the  simply-typed  A-calculus. 

The  rules  for  schematic  coverage,  require  renaming  substitutions  a  that  map  schema  contexts 
C  to  generalized  substitutions  4/  h  a  E  C.  They  are  defined  in  a  straightforward  way. 
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We  start  with  the  definition  of  schematic  coverage.  If  the  context  schema  is  empty,  we  return 
the  empty  cover 

- scempty 

®i;s :  nr,..  bx-  f-  •  •  cover 

otherwise,  there  must  be  a  context  block  SOME  C\.  BLOCK  C2.  We  proceed  by  renaming  C\ 
into  a  generalized  context  ^3,  and  cr-convert  C2  to  a  new  variable  block  p.  Then  we  examine 
all  cases  which  arise  from  p.  using  the  global  parameter  judgment,  and  return  the  newly  found 
cases. 

:  UTX.BX;  'J'y  b  S  ^>>  u\  cover 
^3  b  cr  e  C1! 

^i,-t  :  nr,.  bx,  ^2,  ^3  b  p  =n  [<t]c2 
'in !  X  :  nr,.  Bx :  ^3,  pL  b  p  >  w2  cover 

- - - - scnext 

:  nr,..  Bx ;  ^2  1“  S,  (SOME  C\.  BLOCK  62)^  cover 


Rules  for  Single  Coverage 

All  is  prepared  to  combine  the  three  parts  of  the  coverage  algorithm  described  above.  The  overall 
coverage  algorithm  non-deterministically  and  successively  picks  variables  from  the  generalized 
context  \k,  and  splits  them.  This  part  of  the  algorithm  is  defined  by  two  judgments,  called  single 
coverage,  and  multiple  coverage.  Single  coverage  means,  that  uo  covers  all  cases  by  refining  one 
variable. 

^ ] ;  x  :  nrr.  Bx;  $2  b  Tx  »  cover 
Vki;  x  :  nP,..  Bx ;  ^2  ^>^2  cover 
'L  =  ,  x  :  Iir,  .  Bx ,  ^2  ^ j ;  x  :  BTX.  Bx\  ^2  b  s  »  UJ%  cover 

- — - single 

b  lo\ , u)2i  ^3  cover 


Rules  for  Multiple  Coverage 

The  judgment  for  multiple  coverage  calls  single  coverage  repeatedly  and  combines  the  results  by 
an  easy  substitution  composition. 

cover  .  . 

- multiempty 

h  uj  cover* 


$  hwi,  (^L/  >  tp),uj 2  cover*  h  u/  cover 
'L  I-  (Ji ,  ip  o  u/,  a?2  cover* 


multicons 


where 


ip  o  •  =  • 

ip  0  (a/,  (\L"  t>  ?//))  —  0  (\I///  >  l\)  O  if/) 


The  coverage  algorithm  is  designed  to  formulate  a  syntactical  criterion  for  side  condition  (5.2) 
attached  to  the  case-rule  in  Section  5.6.2: 


A  h  %p;  5  E  T';  A'  A'  h  ft  E  F 
$;Ah  case  (?/>;  £)  of  ft  E  Fty>] 


case 
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Informally,  ft  is  said  to  cover  all  cases,  if  it  can  be  guaranteed,  that  the  stripped  version  of  ft 
are  in  fact  generated  by  the  coverage  algorithm. 

Definition  7.12  (Syntactic  coverage  criterion) 

H/'  b  strip  (ft)  cover* 

where  we  understand  as  stripping  the  operation  that  removes  all  P  from  ft. 

Definition  7.13  (Stripping) 


strip  (•)  =  • 

strip  (ft,  ('I''  >  ip  P))  —  strip  (ft),  (’H'  >  ip) 

In  summary,  we  have  presented  a  sophisticated  algorithm  to  characterize  the  coverage  prop¬ 
erty  of  case  analysis  as  a  syntactic  property  of  a  proof  term.  That  the  coverage  algorithm  indeed 
returns  a  complete  set  of  covers  is  the  main  result  that  we  present  in  the  next  Section.  From  an 
experimental  point  of  view,  we  want  to  point  out  that  all  examples  from  Chapter  3,  and  their 
formalizations  in  Chapter  4  satisfy  this  criterion.  The  side  condition  itself  is  syntactic,  which 
means  that  it  is  easy  to  implement.  Moreover,  in  the  implementation  of  the  meta-theorem 
prover  in  the  Twelf  system,  we  use  the  coverage  algorithm  to  generate  the  different  forms  of  ft, 
a  process  which  we  call  Splitting.  The  Twelf  system  is  described  in  detail  in  Chapter  8.  From  a 
theoretical  point  of  view,  the  design  of  this  criterion  is  the  final  step  in  our  quest  to  turn 
into  a  calculus  of  realizers.  That  it  satisfies  the  necessary  properties  is  discussed  in  the  next 
section. 

7.3.3  Meta-Theory 

We  begin  now  with  the  discussion  of  the  theoretical  properties  of  the  coverage  algorithm  pre¬ 
sented  in  the  previous  subsection.  Any  valid  case  analysis  satisfying  the  syntactic  criterion  is 
guaranteed  to  cover  all  cases,  and  in  particular,  when  executing  it  on  the  abstract  machine 
defined  in  Section  7.1.3  the  computation  never  runs  into  a  state  where  it  cannot  make  progress. 

This  subsection  is  organized  as  follows:  First,  we  discuss  some  general  properties  about 
substitutions.  Second,  we  show  that  independent  of  the  current  environment,  the  abstract 
machine  always  finds  a  case  in  ft,  when  it  executes  a  case  instruction.  This  property  is  called 
liveness.  Finally,  we  generalize  liveness  to  progress. 

Preliminaries 

Well-formed  generalized  substitutions  ip  satisfy  \P'  h  ip  €  Each  substitution  of  this  form  can 
be  easily  restricted  to  an  initial  fragment  of  \P.  Consider,  for  example,  T  =  'Fj,  \p2-  By  several 
inversions  on  the  typing  derivation  of  ip,  we  can  easily  deduce  that  ip  =  ipi,ip2,  and  moreover 
’F'  h  ipi  G  'Ll-  This  simple  property  of  substitutions  is  used  several  times  in  the  proofs  presented 
in  this  section.  Following  common  practice,  we  write  ip\  =  ip\<n1  in  order  to  restrict  ip  to  4/ 1 . 

Lemma  7.14  (Restricting  substitutions) 

then  \P'  h  t/’ltfi  € 

Proof:  by  induction  on  ^2  □ 
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Similarly,  if  we  restrict  the  composition  of  two  substitutions  to  a  generalized  context  T,  the 
result  is  the  same  as  if  we  had  restricted  the  left  substitution  to  T  before  composing  it  with  the 
right. 

Lemma  7.15  (Restricting  compositions) 

//*  2  b  v>2  €  Tj 

and  Ti  h^i  E  T' 

then  (Vd  o  fa)  k  =  Vd  k  0  ^2 

Proof:  by  induction  on  the  definition  of  substitution  composition.  □ 

A  second  concept,  which  is  important  in  the  proofs  below,  is  that  given  a  generalized  substi¬ 
tution,  we  can  transform  it  easily  into  a  meta-substitution.  This  process  is  called  factorization , 
because  we  can  write  (fa  5)  as  composition  of  two  substitutions  given  that  we  know  how  to 
factor  xj. b. 

Lemma  7.16  (Factorization) 

If  $  b  Vd  e  $0 

and,  To  b  t/;o  £  T 

and  T  b  V> 0  0  Vd  =  V;  £  T 

and  T;  •  b  Vd  d  G  T;  A 

then  T;  •  b  Vd ;  d  G  To;  [V>o]  A 

and  T0;  [V>o]A  b  V>o;  G  T;  A 

and  T;  •  b  (V^o;  ^a)  0  (Vd;  d)  =  (Vd  d)  G  T;  A. 

Proof:  direct.  □ 

A  last  useful  property  is  projection.  Given  a  meta  substitution,  we  can  extract  the  underlying 
generalized  substitution. 

Lemma  7.17  (Projection) 

//*  D  ::  T;  •  b  V>;  d  G  T;  A 
then  $bi/)GT. 

Proof:  by  induction  on  X>.  □ 

Liveness 

Liveness  expresses  that  every  case  statement  satisfying  the  coverage  condition  can  be  successfully 
executed  without  starving  the  computation.  Only  under  the  assumption  that  liveness  holds  can 
we  prove  progress.  More  precisely,  we  must  show  that  “case  (Vd  d)  of  fT  provides  a  case 
(T  >  ^  4  P)  in  such  that  there  exists  a  fa'  that  satisfies  V>  —  fa  o  faf.  The  proof  of  this 
property  is  split  into  several  lemmas,  closely  following  the  definition  of  the  coverage  condition 
in  the  previous  section.  For  example,  there  is  a  liveness  property  for  constant  covers,  for  local 
parameter  covers,  for  global  parameter  covers  and  for  schematic  covers,  and  naturally  for  single 
and  multiple  coverage. 

We  begin  the  presentation  with  a  liveness  lemma  for  constant  covers.  This  lemma  expresses 
that  if  there  exists  a  (in  general  arbitrary)  unifier  of  (nra-.RT  ~  UT x.Bfc,x  ^  A Tx.c  (Tc  Tt)), 
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where  Tc,  B'c  are  the  result  of  raising  the  type  of  a  constant  c  declared  in  E,  then  the  case  in  Q 
generated  by  c  (by  ccunify)  is  applicable,  and  ev_yes  would  fire  if  0  were  executed.  We  construct 
the  substitution  which  solves  this  unification  problem  in  the  proof  of  Lemma  7.22  from  the 
explicit  substitution  in  the  case  subject. 

*-  Lemma  7.18  (Liveness  of  constant  covers) 

If  P  ::  Ti;  x  :  nTx.  Bx\ T2  h  E  ;»  oj  cover 
and  T  =  Ti,:r  :  HTX.  Bx ,  T2 

*  and  S(c)  =  nrc.J3c 

and  T  h  raise  (rx,  nTc.  Bc )  =  (Tc  >  nrx.  B'c) 
and  B  ::  T;  •  V  ip;  8  €  T,  Tc;  A 

and  if  e  unify  (nrx.  Bx  «  nrx.  B'c,x  «  A Tx.  c  (Tc  Tx)) 

then  there  exists  a  ($0  >  V’o)  £  oj  and  a  ipi 

s.t.  $  h  ipi  G  T0 

and  T0  h  </>0  €  T 

and  T  h  ^0  0  Vfi  =  G  T 

Proof:  by  induction  on  P,  using  Lemma  7.14  and  by  Lemma  7.15.  A  detailed  proof  can  be 
found  in  Appendix  C.  □ 

Similarly,  if  we  have  a  solution  for  the  unification  problem  unify  (III .  Bx  m  IiYx.B'p,x  « 
\Tx.p  (Tp  Tx))  generated  by  a  local  parameter  in  T  (which  we  also  construct  in  the  proof  of 
Lemma  7.22),  then  the  corresponding  case  (generated  by  p)  in  O  is  applicable,  and  ev_yes  would 
fire  if  were  executed. 

Lemma  7.19  (Liveness  of  local  parameter  covers) 

J/P  ::  Ti;a:  :  nrx.Bx;  T2  h  T  ca  cover 
and  T  =  Ti,s  :  nPx.Bx,T2 
and  T{p)  =  nrp.  Bp 

and  T  h  raise  (rx,  nTp.  Bp)  =  (Tp  >  nTx.  B'p) 
and  T  ::  T;  •  h  if-  6  G  T,  Tp;  A 

and  if  €  unify  (nrx.Bx  «  HTx.B'p,x  »  A Tx.p  (Tp  Tx)) 

then  there  exists  a  (To  >  tpo)  £  u  and  a  ipi 

s.t.  T  h  tpi  €  T0 

and  T0  I-  if>0  £  T 

and  T  h  ipQ  °  ipi  =  €  T 

* 

Proof:  by  induction  on  P,  using  by  Lemma  7.14  and  by  Lemma  7.15.  A  detailed  proof  can  be 
found  in  Appendix  C.  □ 

a. 

And  finally,  if  we  have  a  solution  for  the  unification  problem  unify  (nrx.  Bx  ~  nTx.  By .  x  ~ 
ARr .  p  (T y  rx))  this  time  to  be  constructed  in  the  proof  of  Lemma  7.21,  the  corresponding  case 
(generated  by  y)  in  p  is  applicable,  and  ev_yes  would  fire  if  Q  were  executed. 

Lemma  7.20  (Liveness  of  global  parameter  covers) 
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7.3.  COVERAGE 


IfV  ::  ^i\x  :  HTX.BX;  3/2;  ^3  I ~  p^>  u  cover 
and  T  =  $1,®  :  ILT*.  £*,  \l>2 
and  p(y)  =  nr?y.  By 

and  ®  b  rai.se  (r*,  Iiry.  iJ^)  =  (^  >  nr*.  5' ) 
and  T  ::  $  b  tp  G  ^3, 

and  i/>  g  uni/yy  (nr*.#* «  nr*,  ~  Arr.p  (4^  r*)) 

then  there  exists  a  (To  >  V7o)  £  ca  and  a  V;i 

s.L  $  b  ^1  G  T0 

and  T0  I"  ^0  G  T 

and  $  b  ^0  o  V;i  =  V’k  G  $ 

Proof:  by  induction  on  X>,  using  Lemma  7.14  Lemma  7.15.  A  detailed  proof  can  be  found  in 
Appendix  C.  □ 

Recall  that  the  coverage  condition  for  global  parameters  was  defined  by  two  judgments  in  the 
previous  subsection.  We  have  a  judgment  for  global  parameter  coverage  and  one  for  schematic 
coverage.  Correspondingly,  there  is  a  lemma  for  liveness  of  global  parameter  covers  which  we 
have  already  discussed,  and  there  is  one  for  the  liveness  of  schematic  coverage  which  we  discuss 
now.  Consider  a  case  analysis  on  x.  We  must  show  that  for  every  possible  form  of  .7;,  there  is  a 
case  in  0,  and  for  this  lemma,  we  assume  that  x  is  bound  to  an  object  whose  head  constructor 
is  a  parameter  variable  g  declared  in  the  parameter  context:  V;(-7’)  —  AT*, g  Mx,.Mn.  g  must 
be  declared  in  a  block  schema  which  is  part  of  the  overall  declared  context  schema.  From  this 
information  alone,  we  can  construct  a  solution  to  the  unification  problem  in  Lemma  7.20  which 
proves  the  claim  immediately. 

Lemma  7.21  (Liveness  of  schematic  coverage) 

IfV  ::  :  nr*.  Bx;  $2b5»  u) 

and  T  =  Ti,#  :  nr*.F?*,T2 

and  T  ::  $  b  if>  G  T 

and  'i)j(x)  =  XTx.g 

and  pL  G  T 

and  p(g)  -  nF g.Bg 

and  S(L)  =  SOME  Cx.  BLOCK  C2 

then  there  exists  a  (To  t>  V7 0)  G  ca  and  a  t/)\ 

s.t.  $  b  'ipi  G  To 

and  T0  b  V^o  G  T 

and  T  b  %j; 0;  o'lpy  =  ^  G  T 

Proof:  by  induction  on  X>,  using  Lemma  7.11,  Lemma  6.7.  Lemma  2.7,  and  Lemma  7.20.  A 
detailed  proof  can  be  found  in  Appendix  C.  □ 

The  substitution  ^  may  map  x  to  an  object  whose  head  constructor  is  not  necessarily  a 
global  parameter.  It  could  be  either  a  local  parameter  or  a  constant  since  there  are  only  three 
possibilities!  By  a  very  similar  construction  as  in  the  previous  argument,  we  construct  a  solution 
to  the  unification  problem  from  Lemma  7.18  and  Lemma  7.19,  respectively.  The  claim  follows 
immediately. 
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Lemma  7.22  (Liveness  of  single  coverage) 

//D::$hw  cover 
and  £  ::  $  b  ip  G  U/ 

t/jen  f/iere  exists  a  (U/o  >  V’o)  £  a;  and  a  ^ 
s.t.  $  h  V’l  € 
and  ’T'o  P  V'o  G  ^ 
and  I—  -00  0  "01  =  "0  ^ 

Proof:  by  case  analysis  of  V,  using  Theorem  2.6,  Lemma  7.11,  Lemma  6.7,  Lemma  2.7, 
Lemma  7.18,  Lemma  7.19,  Lemma  7.21.  A  detailed  proof  can  be  found  in  Appendix  C.  □ 

Our  approach  to  complete  case  analysis  allows  several  splitting  steps  of  different  variables; 
in  the  coverage  condition,  this  is  expressed  by  the  multicons-rule.  In  order  to  show  that  there  is 
always  one  applicable  case  in  17,  we  have  to  consider  successive  splits  over  several  variables  in  ip 
according  to  the  cover*  relation. 

Lemma  7.23  (Liveness  of  multiple  coverage) 

If  V  ::  b  cu  cover* 
and  $  b  ip  e 

then  there  exists  a  (H/o  >  ipo)  6  lo  and  a  ip\ 
s.t.  $  h  ^  £  f  o 
and  h  ip0  G  Vf/ 
and  ^\~ipQoipi=ip£^) 

Proof:  by  induction  on  V  using  Lemma  7.22  and  Lemma  5.2.  A  detailed  proof  can  be  found 
in  Appendix  C.  □ 

Finally,  by  factoring  and  projecting  meta-substitutions,  we  obtain  the  formal  result  that 
any  case  statement  which  satisfies  the  coverage  condition  defines  one  case  in  17  that  keeps  the 
computation  running  on  the  abstract  machine.  The  decomposition  of  the  substitution,  which  is 
guaranteed  to  exist  by  the  next  lemma,  is  a  formalization  of  the  side  condition  of  ev.yes. 

Lemma  7.24  (Liveness) 

If  V  ::  to  cover* 

and  £::$]■}-  ip;5  €  A 

then  there  exists  a  (H>o  >  ipo)  €  u>,  and  a  ip\,  s.t.  <F;  •  b  ipi;5  G  H/o;  [■f/’oJA 

and  \I>o;  [ipo]A  b  ip0 ;  id&  E  H/;  A 

and  $;•  b  (ipoiid^)  o  (ip\;S)  =  (ip;  S)  E  H/;  A 

Proof: 

direct,  by  Lemma  7.17,  Lemma  7.23,  and  Lemma  7.16.  A  detailed  proof  can  be  found  in 
Appendix  C.  □ 

The  stage  is  set  for  the  proof  that  every  function  in  under  the  two  side  conditions  is  a 
realizer. 
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Progress 

Liveness  is  a  property  attached  to  case  statements.  In  essence,  it  expresses,  that  for  any  case 
subject,  the  side  condition  attached  to  tryes  is  fulfilled  for  at  least  one  case  in  fb  This  observation 
guarantees  that  the  abstract  machine,  once  started  on  a  match  state  containing  will  transition 
into  a  non-match  state  after  finitely  many  steps  (by  applying  tryes).  Therefore  the  computation 
of  cases  can  never  get  stuck. 

Lemma  7.25  (Progress  for  case) 

IfS  =  <Sr,C>{t,S) 

and  there  exists  a  ((To  >  V^o)  ^  P)  E  fb  and  a  Vh 

s.t.  $;*  h  Vh;<5  €  T0;[^o]A 

and  T0;  [V>o]A  h  ^0;  id-A  G  T;  A 

and  $;•  h  (^o;^a)  0  0/h;^)  “  (V;;^)  £  A 

then  there  exists  an  S' 

and  S  ^  S' 

and  S'  is  not  a  match  state 

Proof:  by  induction  over  fb  A  detailed  proof  can  be  found  in  Appendix  C.  □ 

This  result  generalizes  directly  to  the  progress  theorem.  In  every  state  (except  a  final  state) 
the  abstract  machine  can  make  one  transition  step  to  the  next  state.  Thus,  by  induction  it 
follows  that  in  any  situation  the  machine  can  make  progress.  In  a  situation  where  the  current 
state  contains  a  case  statement,  the  claim  follows  from  the  progress  lemma  for  case,  in  all  others 
directly  from  the  form  of  the  rules. 

Theorem  7.26  (Progress) 

If  S  is  a  stale ,  but  not  a  match  stale, 
and  $;•>  V 
and  V  ::h  S  G  F 

then  there  exist  an  S'  and  an  S"  which  is  not  a  match  state 
and  S  =>  5'  S" 

Proof:  by  case  analysis  of  5, using  Lemma  7.24  and  Lemma  7.25.  A  detailed  proof  can  be  found 
in  Appendix  C.  □ 

Therefore,  any  computation  executed  on  the  abstract  machine  can  never  get  stuck  until  it 
reaches  a  final  state  that  we  interpret  as  the  result  of  the  computation. 

7.4  Soundness  of 

All  proof  terms  of  the  fragment  of  M\  specified  in  Section  7.2.1  are  total  on  under  the  operational 
interpretation  via  a  small-step  semantics.  We  conjecture  that  this  claim  holds  for  all  functions 
in  the  Il2-fragment  of  but  we  leave  the  proof  of  this  claim  to  future  work. 

When  those  proof  terms  (encoded  as  states)  are  executed  on  the  abstract  machine,  the 
computation  makes  progress  and  will  eventually  terminate.  Technically  we  can  extract  the  value 
of  the  computation  out  of  the  final  state.  Thus,  all  proof  terms  in  witness  the  provability 
of  a  theorem  and  are  therefore  called  realizers. 
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Theorem  7.27  (Realizability) 

Iffr,  •  h  PeF 
then  there  exists  a  V 
s.t.  $;•  h  V  €  F 
and$;*c>P 

Proof:  direct,  using  Theorem  7.9,  Lemma  7.4,  and  Theorem  7.26.  A  detailed  proof  can  be 
found  in  Appendix  C.  □ 

All  functions  in  M  J  are  realizers,  and  by  executing  them  we  construct  the  witness  objects  for 
the  existentials  from  given  instantiations  of  the  universals.  Moreover,  we  can  now  give  a  formal 
proof  of  the  soundness  of  with  respect  to  the  semantics  we  have  specified  in  Definition  5.7. 
Any  n2-formula  which  is  ‘inhabited’  by  a  value  V  is  semantically  valid.  The  proof  is  an  easy 
induction  over  the  structure  of  formulas. 

Theorem  7.28  (Soundness  of  A4^) 

1.  IfV::\~Q€G 
then  (=  G. 

2.  If  V  ::  •  b  V  G  F 

then  $  |=  F . 

Proof:  (1)  direct,  (2)  by  induction  on  the  size  of  formulas  F.  using  Lemma  6.11,  Theorem  7.27, 
Lemma  6.22,  and  Lemma  6.20.  A  detailed  proof  can  be  found  in  Appendix  C.  □ 

7.5  Summary 

Thus,  we  conclude  this  Section  by  reiterating  the  main  theoretical  results  of  this  thesis.  M % 
is  a  sound  intuitionistic  meta-logic,  because  all  recursive  functions  are  realizers.  It  elegantly 
combines  higher-order  representation  techniques  with  the  formalization  of  inductive  arguments. 
Unlike  purely  logical  systems,  which  are  designed  to  be  complete,  we  cannot  hope  for  to 
be  complete  because  of  its  expressiveness  (even  though  it  is  restricted  to  the  Il2-fragment).  We 
have  not  carried  out  the  argument,  but  we  speculate  that  could  theoretically  be  represented 
in  LF,  which  exposes  it  to  Godel’s  incompleteness  theorem  [God31]. 

If  preferred,  M J  can  be  seen  as  type  theory  whose  datatypes  take  full  advantage  of  LF’s 
representational  power;  i.e.  dependent  types  and  higher-order  representation  techniques.  In  this 
it  differs  significantly  from  inductive  definitions  that  rely  on  the  positivity  condition.  Without 
coverage  and  termination  side  condition,  M^  is  a  type  theory  for  recursive  functions,  but  with 
them,  M%  can  be  seen  as  a  sound  meta- logic  for  LF. 

In  addition,  this  type  theory  inherits  many  of  the  properties  associated  with  hypothetical 
judgments  such  as  substitution,  contraction,  weakening,  and  exchange.  Those  properties  need 
not  be  explicitly  represented  in  a  proof  term  which  makes  them  in  general  short,  concise,  and 
amenable  for  automatic  construction  which  we  discuss  in  the  next  Chapter  8.  We  leave  an 
investigation  of  how  to  turn  M 2  into  a  full-fledged  programming  language  to  future  research 
but  discuss  the  basic  ideas  in  Section  9.1.5. 
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Chapter  8 


Twelf 


8.1  Introduction 

Twelf  is  a  meta- logical  framework  for  the  specification,  implementation,  and  meta-theory  of 
deductive  systems  from  the  theory  of  programming  languages  and  logics.  For  example,  Twelf  has 
been  successfully  employed  to  derive  various  properties  such  as  type  preservation  and  progress  of 
various  operational  semantics,  the  consistency  of  logics,  and  the  admissibility  of  new  inference 
rules.  Other  results  include  automatic  proofs  of  the  Church-Rosser  theorem,  cut-elimination 
for  various  logics,  soundness  and  completeness  of  uniform  proof  search  and  resolution.  It  relies 
on  the  LF  type  theory  and  the  judgments-as- types  methodology  for  specification  [HHP93],  a 
constraint  logic  programming  interpreter  for  implementation  [Pfe91],  and  the  meta- logic 
for  reasoning  about  object  languages  encoded  in  LF  under  the  regular  world  assumption.  It  is 
a  significant  extension  and  complete  reimplementation  of  the  Elf  system  [Pfe94] . 


Specification.  Twelf  employs  the  representation  methodology  and  underlying  type  theory  of 
the  LF  logical  framework  discussed  in  Chapter  2.  Expressions  are  represented  as  LF  objects 
using  the  technique  of  higher-order  abstract  syntax  and  hypothetical  judgments  whereby  variables 
of  an  object  language  are  mapped  to  variables  in  the  meta-language.  This  means  that  common 
operations,  such  as  renaming  of  bound  variables  or  capture-avoiding  substitutions  are  directly 
supported  by  the  framework  and  do  not  need  to  be  programmed  anew  for  each  object  language. 

For  semantic  specification  LF  uses  the  judgments- as-types  representation  technique.  This 
means  that  a  derivation  is  coded  as  an  object  whose  type  represents  the  judgment  it  establishes. 
Checking  the  correctness  of  a  derivation  is  thereby  reduced  to  type-checking  its  representation 
in  the  logical  framework  and  therefore  in  Twelf  (which  is  efficiently  decidable). 


Algorithms.  Generally,  specification  is  followed  by  implementation  of  algorithms  manipu¬ 
lating  expressions  or  derivations.  Twelf  supports  the  implementation  of  such  algorithms  by  a 
constraint  logic  programming  interpretation  of  LF  signatures,  a  slight  variant  of  the  one  origi¬ 
nally  proposed  in  [Pfe91]  and  implemented  in  Elf  [Pfe94],  The  operational  semantics  is  based  on 
goal-directed,  backtracking  search  for  an  object  of  a  given  type.  For  the  purpose  of  this  thesis 
we  will  not  discuss  this  feature  here.  The  interested  reader  is  invited  to  consult  [PS98]  for  a 
detailed  discussion. 
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8.2.  THEOREM  PROVER  FOR  LF 


Meta-Theory.  Using  the  regular  world  assumption  Twelf  offers  an  experimental  automatic 
meta-theorem  proving  component  based  on  the  meta-logic  presented  in  Chapter  5.  It 
expects  as  input  a  112-statement  describing  a  property  of  LF  objects  over  a  fixed  signature, 
a  fixed  context  schema,  and  a  termination  ordering  and  searches  for  an  inductive  proof  by 
constructing  a  realizer  in  •  Even  though  a  number  of  the  theorems  in  the  example  suites 
described  below  can  be  proven  automatically,  we  consider  the  meta-theorem  prover  to  be  in  a 
preliminary  state. 

Twelf  is  written  in  Standard  ML  and  runs  under  SML  of  New  Jersey  and  MLWorks  on  Unix 
and  Window  platforms.  The  current  version  is  distributed  with  a  complete  manual,  example 
suites,  a  tutorial  in  the  form  of  on-line  lecture  notes  [PfeOO],  and  an  Emacs  interface.  Source 
and  binary  distributions  are  accessible  via  the  Twelf  home  page  http://www.twelf.org. 

While  Twelf  is  implemented  in  ML  it  is  executed  as  a  stand-alone  program  rather  than 
within  the  ML  top-level  loop.  This  is  feasible,  since  meta-programming  is  carried  out  in  type 
theory  itself  via  a  logic  programming  interpretation,  rather  than  in  ML  as  in  many  other  proof 
development  environments.  The  most  effective  way  to  interact  with  Twelf  is  as  an  inferior 
process  to  Emacs.  The  Emacs  interface,  which  has  been  tested  under  XEmacs,  FSF  Emacs, 
and  NT  Emacs,  provides  an  editing  mode  for  Twelf  source  files  and  commands  for  incremental 
type  checking,  logic  program  execution,  and  theorem  proving.  Moreover  it  provides  utilities  for 
jumping  to  error  locations  and  tagging  and  maintaining  configurations  of  source  files. 

In  this  Chapter  we  sketch  a  theorem  prover  for  LF  implemented  in  the  Twelf  system  in 
Section  8.2,  and  we  describe  the  meta-theorem  prover  in  Section  8.3,  in  particular  the  three 
basic  operations  Filling ,  Splitting .  Recursion,  the  non-standard  treatment  of  lemmas  and  we 
remark  on  the  correctness  of  the  implementation.  In  Section  8.4  we  give  a  brief  overview  of 
how  to  use  Twelf  and  its  meta-theorem  prover,  and  we  demonstrate  its  power  by  presenting  a 
formalization  of  the  Church-Rosser  example.  In  Section  8.5  we  report  on  other  experiments  we 
have  conducted  with  the  meta-theorem  prover,  and  we  summarize  the  results  of  this  Chapter  in 
Section  8.6. 


8.2  Theorem  Prover  for  LF 


The  overall  goal  of  this  thesis  is  to  develop  a  tool  to  automate  the  meta-theory  of  deductive 
systems.  This  tool  is  designed  to  automate  the  reasoning  processes  as  we  have  used  them  to 
convince  ourselves  of  the  correctness  of  the  substitution  Lemma  3.6  and  the  diamond  Lemma  3.7 
for  the  simply-typed  A-calculus  in  Section  2.2.  It  lies  in  the  very  nature  of  this  goal  that  reasoning 
about  a  deductive  system  is  connected  to  reasoning  inside  the  formal  system;  in  all  example 
proofs,  we  have  used  the  rules  defined  with  the  deductive  system  to  complete  a  case  in  the  proof 
such  as  for  example  ‘plain’  and  ‘papp’  in  the  proof  of  Lemma  3.4.  Because  the  representation 
of  the  formal  systems  defining  parallel  reduction  and  well-typed  terms  in  LF  are  adequate,  i.e. 
there  is  a  one-to-one  correspondence  between  derivations  in  the  deductive  system  and  their 
representation  as  objects  in  the  type  theory,  we  can  carry  out  the  following  development  purely 
in  type  theory.  We  use  the  proof  of  the  reflexivity  Lemma  4.3  as  example. 
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fun  refl  x  =  u 

|  refl  (lam  (Xx  :  term  T.  E'  x))  = 

let 

new  x  :  term  T,u:x  =>  x 
val  P  xu  =  refl  (E1  x) 
in 

plam  (Xx  :  term  T.  Xu  :  x  x.P  x  u) 

end 

|  refl  (app  E\  E2)  = 

let 

val  Pi  =  refl  E\ 
val  P2  =  refl  E2 
in 

papp  Px  P2 

end 


This  is  the  proof  a  theorem  about  deductive  systems,  but  at  three  occasions  we  reason  inside 
the  deductive  system.  In  the  first  case,  we  have  to  search  for  an  LF  object  M  of  type  x  ==>  x, 
and  such  an  M  clearly  exists,  because  we  assumed  the  existence  of  u.  In  the  second  case  where 
the  argument  to  refl  is  ‘lam  (A®  :  term  T.  E'  x)\  we  have  to  apply  ‘plam’  to  the  result  of  the 
induction  hypothesis  in  order  to  construct  a  derivation  of  type  ‘lam  (Ax  :  term  T.  E'  x)  =U- 
lam  (Ax  :  term  T.  E'  x)\  And  finally,  in  the  third  case  we  have  to  apply  ‘papp’  to  the  result  of 
the  two  calls  to  the  induction  hypotheses  P\  and  P2. 

Therefore,  the  meta-theorem  prover  that  is  designed  to  reason  about  deductive  systems  relies 
on  the  ability  to  reason  within  it.  In  short,  we  distinguish  the  LF-theorem  prover  that  searches 
for  proofs  within  a  deductive  system  from  the  meta-theorem  prover  that  searches  for  proofs  about 
formal  systems.  We  sketch  the  design  of  the  LF-theorem  prover  as  it  is  implemented  in  the  Twelf 
system  in  this  section,  and  postpone  the  design  of  the  meta-theorem  prover  until  Section  8.3. 


8.2.1  Basic  Operations 


The  objective  of  the  LF  theorem  prover  is  to  search  for  an  LF  object  of  given  LF  type  from  a 
set  of  assumptions  T  and  a  set  of  constants  declared  in  the  signature  E.  The  context  T  contains 
all  information  about  the  currently  valid  extension  of  the  regular  world.  In  the  implementation 
we  use  meta- variables  to  signify  holes  in  an  LF  object  (see  also  [Mun97]),  and  in  this  section, 
we  simply  write  I 


for  a  meta- variable  with  the  name  P,  omitting  all  details. 


Example  8.1  (Parameter  case)  Given 


^  =  T  :  tp,  (x  :  term  T,u:x  x)L 


the  LF  theorem  prover  can  construct  an  object 


x 


x 
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in  the  following  way.  First,  it  detects  that  no  constant  in  the  signature  E  can  instantiate  [P_ 


because  none  of  their  types  unify  with  x  =>  x.  x  are  parameters  that  cannot  be  unified  with 
constants.  Second,  it  locates  the  one  declaration  in  T  whose  type  unifies:  the  parameter  w. 
Therefore 


—  u 


successfully  instantiates  |  P 


Example  8.2  (lam-case)  Given  the  context 

\I>  =  T\  :  tp,  T2  :  tp,  Ef  :  term  T\  ->  term  T2,  P  :  n.7:  :  term  T\ .  x  =U>  x  — >  (Ef  x)  ( Ef  x) 

where  P  is  the  result  of  applying  the  induction  hypothesis  after  extending  the  world,  the  LF 
theorem  prover  constructs  an  object 


~p[\  :  (lam  (A.tt  :  term  T\ .  Ef .?;))  (lam  (Xx  :  term  T\ .  Er  x)) 


the  following  way.  After  examining  the  entire  signature  and  the  context,  the  LF  theorem  prover 
determines  that  there  is  only  one  possible  choice  to  instantiate  P'  ,  namely  ‘plain’.  Since  ‘plain’ 

is  of  functional  type,  it  needs  to  be  applied  to  another  LF  object  signified  by  P,!  :  ( Ef  x)  =^=> 
(E'x): 


P^~|  =  plain  (Xx  :  term  T\ .  Xu  :  x  x. 


The  search  continues,  this  time  for  |  Pn  |.  Note,  that  the  search  must  take  place  in  an  extended 
context,  because  I 


pn 


may  depend  on  x  and  u. 


T\  :  tp,  T2  :  tp,  Ef  :  term  T\  — y  term  T2,  P  :  ILr;  :  term  T\.x  =U>  x  (Ef  x)  (E!  x), 
x  :  term  T\ ,  u  :  x  ==4>  x . 


Eventually,  LF  theorem  prover  successfully  terminates  with  a  valid  instantiation  P  x  u  for 
and  returns  the  overall  search  result: 


—  plain  (Xx  :  term  T.  Xu  :  x 


x.  P  x  u) 


Example  8.3  (app-case)  In  the  third  case  the  LF  theorem  prover  is  given  the  context  T 

T\  :  tp,  T2  :  tp,  E\  :  term  (T2  arrow  T\ ),  E2  :  term  T2 
P\:Ei  ^  E],P‘2  ■  E-2  =4  E2 


where  Pi  and  P2  are  the  results  of  applying  the  induction  hypothesis  and  it  is  asked  to  construct 
an  object  Pf  of  type  (app  E\  E2)  (app  E\  E2).  There  is  only  one  constant  in  the 

signature  that  does  not  violate  any  typing  constraints;  ‘papp’  applied  to  two  new  meta- variables 
is  therefore  a  possible  instantiation  for 


P! 


P'\ 

=  Papp 

P[ 

P;2 

:  (app  Ex  E2) 


(app  Ei  E2) 
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where 


P'l 


and 


P‘2 


are  two  new  met  a- variables. 


P[ 


pf 

r2 


:  Ei 

:  Eo 


Ei 

E2 


Next,  in  the  same  context  ty,  they  are  instantiated  by  Pi  and  P2,  respectively,  and  hence 
papp  Pi  P2  :  (app  Ei  E2)  =>  (app  Pi  P2)  is  a  solution  for  Pf  . 


These  three  examples  demonstrate  how  the  LF  theorem  prover  works.  Starting  with  one 
meta- variable,  the  system  searches  for  an  instantiation  of  a  variable  hereby  possibly  introducing 
new  meta-variables.  Only  if  all  meta-variables  are  instantiated,  the  theorem  prover  stops  and 
signals  success.  Meta-variables  of  functional  type  can  be  lowered  by  moving  the  additional 
functional  parameters  into  the  context,  a  trick  we  have  used  in  Example  8.2. 

Naturally,  the  search  space  for  objects  of  a  certain  type  may  not  always  be  finite.  The  LF 
theorem  prover  therefore  employs  a  limited  depth,  depth-first,  and  iterative  deepening  search 
procedure,  that  works  surprisingly  well  in  many  of  our  examples. 


8.2.2  Correctness 

The  implementation  of  the  LF  theorem  prover  is  513  lines  of  SML  code,  not  taking  into  account 
the  code  for  unification,  and  constraint  handling.  Even  though  Twelf  is  programmed  with  a  lot 
of  care,  and  the  central  modules  are  manually  verified,  the  implementation  may  still  contain 
bugs. 

But  fortunately,  we  do  not  have  to  rely  on  the  correctness  of  the  implementations  of  the 
algorithms  used  in  Twelf.  Instead  of  verifying  the  correctness  of  the  entire  system,  we  can 
verify  each  resulting  instance  of  the  theorem  prover  by  type  checking!  The  LF  type-checker 
implemented  in  Twelf  is  relatively  small,  it  contains  only  206  lines  of  code,  and  it  can  be  easily 
verified.  It  is  autonomous  in  that  it  does  not  depend  on  other  parts  of  Twelf,  such  as  modules 
for  unification.  In  fact,  the  Twelf  systems  provides  an  option  that  forces  every  object  generated 
by  the  LF  theorem  prover  to  be  type  checked. 


8.2.3  Limitations 

The  LF  theorem  prover  has  one  crucial  limitation;  it  implements  a  straight-forward  bottom-up 
search  schema  for  derivations  in  a  deductive  systems.  This  search  technique  is  advantageous  for 
certain  deductive  systems,  but  it  is  absolutely  disastrous  for  others.  In  particular  systems  which 
define  any  kind  of  transitivity  suffer  extreme  hardship  because  once  started  the  LF  theorem 
prover  tries  to  guess  the  intermediate  object  which  may  be  entirely  unconstrained,  and  the 
run-time  of  the  prover  becomes  excruciatingly  slow. 

For  certain  deductive  systems  on  the  other  hand,  in  particular  logics,  rewrite  systems,  and 
programming  systems,  specialized  proof  search  and  rewrite  methods  have  been  developed  in 
recent  years  [DMTV99,  Hah99].  We  can  only  outline  future  directions  of  research  to  incorporate 
these  techniques  into  the  LF  theorem  prover  in  Section  9.1.4. 
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8.3  Meta-Theorem  Prover 

The  meta-logic  }A]  is  designed  to  formalize  theorems  that  express  properties  about  formal 
systems  such  as  logics  and  programming  languages  and  their  proofs.  Its  main  purpose  is  to 
encode  inductive  arguments  about  higher-order  encodings  of  deductive  systems  —  higher-order 
encodings  for  which  typically  no  standard  induction  principles  exist.  Inductive  definitions  are 
at  the  heart  of  many  theorem  provers  like  Coq,  Isabelle,  and  Lego,  and  they  rely  on  the  closed 
world  assumption.  The  Twelf  system,  however,  is  based  on  the  regular  world  assumption, 
which  permits  the  formalization  of  inductive  arguments  about  higher-order  encodings.  Besides 
the  standard  constant  declarations  representing  inference  rules,  the  regular  world  assumption 
permits  regular  extensions  of  the  world  as  we  have  discussed  in  the  previous  chapters.  In  the 
proof  of  the  reflexivity  Lemma  4.3  for  example,  in  particular  in  the  second  case,  the  induction 
hypothesis  is  only  applicable  in  a  world  extended  by  x,  u. 

|  refl  (lam  (A.r  :  term  T.  Ef  rr))  — 

let 

new  x  :  term  T,u:x  =^>  x 
val  Pxu  —  refl  ( Ef  x) 
in 

plam  (A.r  :  term  T.  Xu  :  x  =^=>  x .  P  x  u) 

end 

The  regular  world*  assumption  guarantees  that  dynamic  extensions  can  only  grow  in  regular, 
limited,  and  well-defined  ways.  Therefore  we  can  predict  their  forms  and  it  allows  us  to  reason 
about  them  abstractly. 

It  is  this  regular  world  assumption  from  which  the  meta-theorem  prover  in  Twelf  draws 
its  power.  In  other  theorem  provers  one  has  to  introduce  auxiliary  constructions  in  order  to 
make  the  natural  higher-order  encoding  artificially  first-order;  but  auxiliary  construction  hamper 
efficient  proof  search  since  properties  about  their  interactions  must  be  made  explicit.  Additional 
substitution  lemmas  for  de  Bruijn  encodings,  weakening  lemmas,  and  exchange  lemmas  are  only 
few  of  the  examples  one  encounters  when  working  with  artificial  first-order  encodings. 

Therefore  the  main  difference  of  the  meta-tlieorem  prover  implemented  in  the  Twelf  system 
and  other  standard  inductive  theorem  provers  is  that  it  provides  mechanisms  and  operations 
to  dynamically  reason  about  the  world.  All  our  examples  have  very  natural  encodings  in  LF, 
the  proofs  are  very  elegant  —  as  we  have  shown  in  Chapter  4  —  and  therefore,  the  meta 
theorem  prover  is  very  efficient  when  it  comes  to  constructing  these  kind  of  proofs  automatically. 
Hence  in  these  special  domains.  Twelf ’s  meta  theorem  prover  outperforms  any  other  inductive 
theorem  prover.  In  this  section,  we  describe  its  basic  operations  in  Section  8.3.1,  the  treatment 
of  lemmas  in  Section  8.3.2,  and  the  proof  search  strategy  in  Section  8.3.3.  Finally  we  report 
on  the  correctness  of  the  implementation  in  Section  8.3.4,  and  we  describe  its  limitations  in 
Section  8.3.5. 

8.3.1  Basic  Operations 

The  proof  search  algorithm  used  for  the  meta-theorem  prover  in  Twelf  is  composed  of  three 
basic  proof  search  operation:  Filling ,  Splitting ,  and  Recursion.  At  what  point  in  time  to  apply 
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which  operation  is  determined  by  the  proof  search  strategy  which  we  describe  in  Section  8.3.3. 
The  purpose  of  this  subsection  is  to  motivate  the  three  basic  operations. 

The  meta-theorem  prover  expects  as  input  the  formula  to  be  proven,  and  the  termination 
order  that  guides  proof  search.  Once  started,  it  tries  to  construct  a  derivation  in  the  proof 
calculus  of  M2  described  in  Chapter  5.  In  analogy  to  the  description  of  the  LF  theorem  prover 
in  Section  8.2,  we  use  meta  variables  (this  time  ranging  over  -proof  terms  and  not  over 
LF  objects)  which  we  denote  by  [pj.  Note  the  bold  type  face  of  the  variable  inside  the  box. 


Formally  the  search  procedure  used  in  the  meta-theorem  prover  is  called  with  a  formula  F  and 
a  context  ’F,  and  it  returns  a  proof  term  P  or  reports  failure.  We  omit  the  set  of  meta- level 
assumptions  A  which  is  part  of  the  typing  judgment  of  •  Initially,  the  meta-theorem  prover 
is  called  with  two  more  arguments:  a  termination  order  and  an  upper  bound  for  search  passed 
to  the  underlying  LF  theorem  prover  (see  Section  8.2).  Naturally,  the  LF  signature,  and  the 
description  of  how  the  world  can  be  extended  are  fixed  before  the  theorem  prover  is  invoked. 
For  better  readability,  we  write 


$ 

p 

G  F 

for  proof  goals.  Recall  that  we  only  conduct  proof  search  for  proofs  of  ^-formulas.  That  means 
for  the  reflexivity  lemma,  for  example,  that  we  would  ask  the  meta-theorem  prover  for  a  proof 
term  fpl  such  that 


Pj  G  VT  :  tp.  \/E  :  term  T.  3P  :  E 


E.  T 


After  applying  the  VL  twice,  the  meta-theorem  prover  arrives  at  a  goal  of  the  following  form 
which  we  can  consider  the  initial  state  for  the  theorem  proving  process. 


T  :  tp,  E  :  term  T 

P' 

G  3P  :  E  =U  E.T 

where 


PJ  =  AT  :  tp.  A E  :  term  T. IP' 


We  consider  these  kind  of  goals  initial  because  the  domain  of  problems  for  the  meta-theorem 
prover  is  restricted  to  (possibly  empty)  conjunctions  of  ^-formulas.  In  particular  VL  and  AL  can 
be  applied  as  many  times  as  necessary  until  the  formula  to  be  proven  contains  only  existential 
quantifiers.  Thus,  in  general  the  proof  state  of  the  theorem  prover  can  be  described  by  a  set  of 
proof  goals  to  be  shown.  The  formulas  F\, . . . ,  Fn  are  £1 -formulas. 


*1 

* n 

Pi 

e  Fi 

Pn 

£  Fn 

Using  the  reflexivity  lemma  as  example,  we  motivate  now  the  three  basic  operations  of  the  meta¬ 
theorem  prover  of  Twelf:  splitting,  filling,  and  recursion.  The  meta-theorem  prover  is  given  the 
following  initial  state. 


T  :  tp,  E  :  term  T 

P' 

6  3 P:E  =4  E.T 
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Splitting 

Recall/ that  the  original  proof  proceeds  by  case  analysis.  In  this  setting  case  analysis  simply 
means  to  pick  an  assumption  from  the  context,  and  to  examine  all  possible  cases.  The  context 
of  this  proof  goal  contains  two  LF  assumptions  for  which  we  can  analyze  cases:  T  or  E .  In  this 
situation,  the  meta-theorem  will  pick  E  —  how  it  is  determined  that  E  is  the  right  hypothesis 
to  be  split  is  discussed  in  the  Section  8.3.3. 

The  splitting  operation  relies  crucially  on  the  regular  world  assumption.  By  definition  E’ s 
head  can  only  be  a  constant  declared  in  the  signature,  or  a  global  parameter  —  there  are  no 
other  options.  This  is  exactly  what  the  regular  world  assumption  expresses.  Therefore  the 
meta-theorem  prover  traverses  the  entire  signature,  and  by  unification  it  determines  that  either 
E  =  lam  (Ax  :  term  T.E '  x),  or  E  —  app  E\  E2  as  possible  shapes,  and  finally  it  traverses  the 
context  schema,  and  concludes  that  E  —  x  is  a  third  option.  The  splitting  operation  implements 
one  iteration  of  the  coverage  algorithm  described  in  Section  7.3.  Thus  splitting  yields  a  new 
proof  state  with  three  proof  goals. 


T  :  tp,  (x  :  term  T,u:x  x)L 

p'/ 

G  3P  :  x  x.  T 

T\  :  tp,  T2  :  tp,  E!  :  term  T\  — » term  T2 

■pn 

G  3 P  :  (lam  (A.7.-  :  term  T\ .  E'  x))  =4  (lam  (\x  :  term  T\ .  E'  .7;)).  T 

Ti  :  tp,  T2  :  tp,  E\  :  term  ( T2  arrow  T\ ),  E2  :  term  T2 

PS 

G  3P  :  (app  E\  E2)  =4  (app  E\  E2).T 

In  addition  [PM  is  instantiated  with  a  case  construct,  whose  list  of  cases  ft  contains  three  entries. 


The  case  bodies  are 


P"  ,  P"  ,  and 


P'/  ,  respectively. 


case  (T/T,  E/E]  refl/refl)  of 


(T  :  tp,  (x  :  term  T,u:x  x)L  i>  T/T,x/E  P"  ), 
(Ti  :  tp,  T2  :  tp,  Ef  :  term  T\  -4  term  T2 
>  (T\  arrow  T2)/T ,  (lam  Ef)/E  1-4 


P" 

*2 


), 


(T\  :  tp,  T2  :  tp,  E\  :  term  (T2  arrow  T\ ),  E2  :  term  T2 
t>  Ti/T,  (app  E\  E2)/E  i-4 


PS) 


The  current  version  of  the  meta-theorem  prover  computes  proof  terms  only  implicitly.  In  future 
revisions,  the  proof  terms  of  will  be  explicitly  generated,  and  an  efficient  and  independent 
proof  checker  will  be  provided  that  can  verify  them. 

In  summary,  the  splitting  operation  is  an  operation  that  selects  a  proof  goal  from  the  proof 
state,  it  selects  a  variable  declaration  (but  not  a  parameter  variable)  from  the  proof  goal,  analyzes 
its  cases,  and  adds  the  newly  generated  proof  goals  into  the  proof  state. 
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Filling 

The  filling  operation  attempts  to  close  a  proof  goal  by  constructing  witness  objects  for  the 
existentially  quantified  variables.  In  our  example  there  is  only  one  existential  quantifier,  but  in 
the  general  case  there  might  be  several.  In  order  to  construct  witness  objects,  the  meta-theorem 
prover  invokes  the  underlying  LF  theorem  prover,  passes  it  the  list  of  assumptions,  and  an  upper 
search  bound.  The  LF  theorem  prover  either  returns  and  reports  success  or  fails.  In  the  case 
that  there  are  several  existentially  quantified  declarations,  the  LF  theorem  prover  attempts  to 
find  several  object  simultaneously.  The  reason  is  that,  that  this  way  the  theorem  prover  can  take 
advantage  of  the  dependencies  that  constrain  the  search  spaces.  Back  to  the  example.  Given 
the  proof  goal, 


T  :  tp,  (x  :  term  T,u:x  =^=>  x)L 

P 1 

€  3P  :  x  x.  T 

the  meta-theorem  prover  invokes  the  LF  theorem  prover  to  construct  an  instantiation  for  P" 


from  assumptions  T,  x,  and  u.  The  LF  theorem  prover  returns  success  and  as  solution  it  reports 
u.  Already  expected  by  the  meta-theorem  prover,  this  solution  is  embedded  in  a  proof  term  for 


3P:x 


x.  T 


P" 


=  M» 


closing  this  proof  goal.  Two  goals  remain  unsolved,  but  filling  alone  cannot  solve  them.  In 
summary,  the  filling  operation  employs  the  underlying  LF  theorem  prover  to  construct  witness 
objects  for  the  existential  objects.  If  successful,  the  proof  goal  is  completed  and  removed  from 
the  proof  state. 


Recursion 

The  recursion  operation  eagerly  calculates  all  possible  appeals  to  the  induction  hypotheses  and 
makes  their  results  available  in  a  proof  goal.  Consider  for  example  the  third  goal  in  the  proof 
state  of  the  meta-theorem  prover  in  our  example.  Recall,  that  the  original  universal  variable  E 
is  instantiated  by  ‘app  E\  E2  after  the  splitting  operation. 


Ti  :  tp,  T2  :  tp,  E\  :  term  (T2  arrow  Ti),  E2  :  term  T2 

P  ^ 
*3 

G  3P  :  (app  El  E2)  (app  Ei  E2).  T 

The  meta-theorem  prover  is  invoked  with  the  argument  which  hypothesis  to  do  induction  on: 
for  this  theorem  it  is  E.  Therefore,  in  order  to  guarantee  termination,  recursive  calls  can  only 
be  applied  to  subterms  of  E .  Implicitly  by  splitting,  the  meta-theorem  prover  has  learned  about 
the  form  E.  In  particular  it  can  derive  that  E\  and  E2  are  subterms  of  E.  As  a  matter  of  fact, 
these  are  the  only  two  (non-equal)  subterms  of  E  whose  type  matches  the  one  of  the  induction 
hypothesis.  Thus,  there  are  only  two  ways  of  safely  applying  the  induction  hypothesis.  The 
first  way  is  to  apply  it  to  (T2  arrow  Ti)  and  to  E\,  and  the  other  way  is  to  apply  it  to  T2  and 
E2  •  It  is  the  recursion  operation  that  calculate  all  possible  outcomes  of  appeals  to  the  induction 
hypothesis.  In  this  case  the  result  is: 
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3Pi  :  Ei  =4  Ei.T 
3D2:D2  -4  e2.  t 


Because  proof  search  is  restricted  to  the  n2-fragment  of  M2,  the  result  of  applying  an 
induction  hypothesis  lies  also  in  the  n2-fragment.  In  this  particular  example  on  the  other  hand, 
the  situation  is  even  simpler:  both  result  formulas  are  existential  and  lie  therefore  in  the  Ei- 
fragment,.  We  postpone  the  discussion  of  the  more  general  case  until  Section  8.3.2. 

Next,  the  recursion  operation  makes  the  witness  objects  of  the  recursive  calls  available  as 
assumptions.  Logically  speaking,  it  applies  the  3L  rule  of  M2  to  extract  the  witness  objects  P\ 
and  P2  in  this  example. 


T\  :  tp,  T2  :  tp,  E\  :  term  (T2  arrow  T] ),  E2  :  term  T2,  P\  :  E\ 


Ei ,  P2  :  E2 


E> 


P'(  £  3P  :  (app  Ei  E2)  =4  (app  E{  E2).  T 


Because  of  the  regular  world  assumption  applying  recursion  to  the  second  last  proof  goal  is 
more  difficult.  In  the  lam-case,  for  example,  it  is  not  enough  to  simply  calculate  all  induction 
hypotheses,  but  the  theorem  prover  must  also  consider  extensions  of  the  world  in  order  not  to 
miss  any. 


Ti  : 

tp,  T2  :  tp,  E'  :  term  T\  — >  term  T2 

P" 

*2 

E  3 D  :  (lam  (Xx  :  term  T\ .  Er  j;))  =5 

4>  (lam  (Xx  :  term  T\ .  Ef  x)).  T 

In  this  situation  the  original  E  has  been  instantiated  to  (lam  (Xx  :  term  7j .  E'  x))  by  the 
spitting  operation.  Without  extending  the  current  world,  there  are  no  possibilities  to  apply  the 
induction  hypothesis  at  all.  On  the  other  hand,  it  is  possible  to  apply  the  induction  hypothesis  to 
the  body  of  E',  assuming  that  the  world  has  been  extended  by  one  new  constructor  x  :  term  7j . 
Therefore,  the  recursion  operation  takes  the  context  schema  into  account  and  considers  all 
possible  extensions  of  the  world  in  order  to  determine  all  inductive  calls.  For  this  particular 
proof  goal,  there  is  only  one  way  to  extend  the  world 


(x  :  term  T\,u:x 


v) 


L 


and  only  one  possible  appeal  to  the  induction  hypothesis: 

n(a:  :  term  Tj,u  :  x  =4  x)L.3P:E j  =4  E\ .  T 

The  recursion  operation  interprets  this  formula  as  a  new  hypothesis  and  inserts  it  into  the  proof 
goal: 


T\  :  tp,  T2  :  tp,  E' :  term  T\  — >  term  T2,P  :  Ux  :  term  T\ .  x  =4  x  — >  (E1  x)  =4  (E'  x) 

p// 

*2 

G  3D  :  (lam  (A. 7:  :  term  T\ .  E'  x))  =4  (lam  (Xx,  :  term  T\ .  E'  x)).  T 

In  summary,  the  recursion  operation  calculates  all  possible  applications  of  the  induction 
hypothesis,  and  it  adds  the  new  assumptions  into  the  context  of  the  proof  goal.  Clearly,  the 
main  drawback  of  this  approach  is  that  too  many  applicable  induction  hypothesis  will  slow 
down  the  underlying  LF  theorem  prover  because  of  a  search  space  explosion.  But  this  is  not 
a  problem  for  this  example.  Applying  two  more  filling  operations  to  the  remaining  two  proof 
goals  completes  the  proof  of  the  reflcxivity  lemma. 
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8.3.2  Lemmas 

In  the  previous  subsection  we  have  described  the  three  basic  operations  providing  the  foundation 
of  the  meta-theorem  prover.  But  we  have  postponed  one  question:  How  does  the  prover  apply 
lemmas?  Note  that  there  is  one  fundamental  difference  between  applying  an  induction  hypoth¬ 
esis  and  applying  a  lemma.  So  far  we  have  only  considered  the  special  case  where  an  appeal 
to  the  induction  hypothesis  instantiates  all  universally  quantified  variables  according  to  the  in¬ 
duction  ordering.  The  argument  to  a  lemma  application  on  the  other  is  entirely  unconstrained. 
Therefore,  the  model  used  for  calculating  all  induction  hypothesis  in  a  forward  directed  manner 
is  not  applicable  in  this  setting.  There  are  simply  too  many  possibilities,  possibly  even  infinitely 
many. 

As  a  matter  of  fact,  a  very  similar  problem  occurs  already  in  the  general  case  of  determining 
possible  appeals  to  the  induction  hypothesis.  The  previously  used  technique  of  extracting  the 
LF-level  content  from  a  meta-level  formula  does  not  work  in  this  setting  if  only  some  but  not 
all  of  the  universally  quantified  variables  are  constrained  by  the  termination  ordering.  In  these 
situations,  the  result  of  applying  the  induction  hypothesis  is  typically  a  formula  that  is  still  in 
the  n2-fragment.  We  call  these  formulas  residual  lemmas  and  for  the  purpose  of  this  subsection, 
they  are  treated  the  same  way  as  lemmas  are. 

The  center  of  the  treatment  of  lemmas  stands  the  idea  to  exploit  the  LF  theorem  prover  to 
execute  the  search  for  lemma  applications  and  their  appropriate  arguments.  But  how  can  this 
be  established?  Lemmas  are  meta-level  constructs,  and  the  most  basic  design  principle  of  M2 
is  to  separate  the  meta-level  from  the  LF  level.  By  design,  the  LF  theorem  prover  should  not 
be  able  to  access  meta-level  lemmas. 

Fortunately,  there  is  a  solution  to  this  dilemma.  Using  a  technique  very  similar  to  skolem- 
ization,  we  can  encode  meta-level  lemmas  as  Skolem  constants  provided  that  these  constants  are 
only  applied  to  arguments  valid  in  the  regular  world.  We  write  V  for  n  to  make  this  distinction 
notationally  self-evident.  Consider  for  example  the  substitution  Lemma  4.5  that  is  required  in 
the  proof  of  the  diamond  Lemma  4.6.  The  substitution  lemma  is  made  accessible  on  the  LF 
level  by  a  Skolem  constant  #subst. 

ftsiibst  : 

VTi  :  tp.  VT2  :  tp.  :  term  T2  — >  term  T\ .  VE[  :  term  T2  -*  term  T\. 

ME2  :  term  T2.  :  term  T2. 

VDi  :  (n y  :  term  T^.y  ==>  y  E\y  ==>  E[  y).  VD2  :  E2  ==>  E2. 

TP  TP  _ L  TPf  TP f 

-&1  -&1  &2 

Skolem  constants  are  only  used  for  proof  search  by  the  underlying  LF  theorem  prover  and  for 
no  other  operation.  They  are  different  from  regular  constants  and  they  are  neither  considered 
for  splitting  nor  for  recursion.  One  remark  about  the  current  implementation:  The  LF  theorem 
prover  is  incomplete  because  it  cannot  extend  the  world  during  proof  search. 

How  are  Skolem  constants  used?  In  the  pbeta/pbeta-case  of  the  diamond  lemma,  for  ex¬ 
ample,  when  automatically  generated,  the  filling  operation  constructs  two  calls  to  the  lemmas 
implicitly.  (We  omit  all  implicit  arguments  to  #subst).  It  is  a  straightforward  algorithm  to  ex¬ 
tract  the  lemma  applications  from  this  proof  term  and  replace  it  by  explicit  lemma  applications, 
as  shown  in  Figure  4.4. 
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|  dia  (pbeta  (Ax  :  term  T.  Xu  :  x  =^>  x.  D\  x  u )  Dl2)  = 

(pbeta  (Ax  :  term  T.  A u  :  x  =U  x.  D\  x  u)  P£) 

let 

new  x  :  term  T,u-.x  =?=>  x 

val  (Pi  x  u,  P2  x  u)  =  dia  (D[  xu)  (P[  xu) 

in 

let 

val  (Qi,  Q2)  =  dia  D\2D\ 

in 

(#/mbst  P\  Q],#subst  P2  Q2) 

end 

end 

As  final  example  for  the  treatment  of  lemmas,  consider  the  formula  describing  the  diamond 
Lemma  4.6.  It  is  used  in  the  proof  of  the  strip  Lemma  4.7. 

VT  :  tp.  VP  :  term  T.VP'  :  term  T.  VPr  :  term  T. 

VP'  :  E  =U  E1 .  VPr  :  E  =U  Er . 

3 E' :  term  T.  3 Rl  :  E1  E'.  3 Br  :  Er  =U  E'.  T 

Once  the  meta-theorem  prover  has  successfully  completed  the  proof  of  this  lemma,  it  emits 
new  Skolem  constants  to  make  it  accessible  for  the  subsequent  theorem.  There  are  three  of  these 
constants,  each  Skolem  constant  corresponds  to  one  existential  quantifiers. 

#c/?;a  1  :  VT  :  tp.  VP  :  term  T.  VP'  :  term  T.  VPr  :  term  T. 

VP'  :  P  =4  P'.VZF  :  P  =U  ET . 
term  T 

#dia2  :  VT  :  tp.  VP  :  term  T.  VP;  :  term  T.  VPr  :  term  T. 

VP'  :  P  P'.VPr  :  P  Pr. 

(#d*oi  Dl  Dr)  ^  E' 

#dia,:i  :  VT  :  tp.  VP  :  term  T.  VP;  :  term  T.  VPr  :  term  T. 

VP'  :  P  =U  P'.VPr  :  P  =4  Pr. 

P'-  (#d»oi  D'  Dr) 

In  summary,  the  meta-theorem  prover  can  efficiently  apply  lemmas  and  residual  lemmas  by 
encoding  them  as  Skolem  constants  in  LF.  In  the  implementation  the  LF  theorem  prover  treats 
them  as  LF  constants  applicable  only  to  closed  terms  valid  in  the  regularly  formed  world. 

8.3.3  Strategy 

Filling,  splitting,  and  recursion  are  the  three  basic  operations  underlying  the  implementation  of 
the  meta-theorem  prover.  Each  of  the  operations  has  a  different  output  behavior.  Filling  for 
example  can  either  succeed  (and  solves  a  proof  goal)  or  fail,  indicating  that  further  splitting  steps 
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Figure  8.1:  Proof  strategy 


are  necessary.  Splitting  itself  is  almost  always  applicable  as  long  as  there  there  are  splittable 
(assumption)  variables  in  the  context.  On  the  downside  it  can  be  very  tricky  to  predict  which 
assumptions  to  split.  Thus,  any  implementation  of  search  using  these  three  operations  must  be 
fair  selecting  splitting  operations,  otherwise  the  search  may  run  into  an  infinite  descent. 

The  only  operation  that  can  be  deterministically  applied  is  the  recursion  operation.  It  inserts 
the  results  of  applying  all  induction  hypotheses  eagerly  into  the  current  proof  goal,  possibly 
extending  the  list  of  residual  lemmas.  The  operation  is  entirely  deterministic  and  finite,  and 
therefore  worth  applying  to  every  new  proof  goal  inserted  into  the  proof  state  by  splitting. 

These  observations  lead  to  the  obvious  and  very  straightforward  design  of  a  strategy  for  the 
theorem  prover  that  is  depicted  in  Figure  8.1.  It  is  this  strategy  which  is  implemented  in  the 
Twelf  system. 

Given  a  proof  state  consisting  of  many  proof  goals,  the  strategy  picks  arbitrarily  the  current 
proof  goal.  It  then  attempts  to  complete  this  goal  by  applying  the  filling  step.  There  are  two 
possible  outcomes.  First,  the  goal  has  been  successfully  proven,  then  it  can  be  safely  removed 
from  the  proof  state,  or  second  the  filling  step  failed  and  then  a  splitting  operation  must  be 
invoked.  In  general,  there  are  many  ways  splitting  can  be  applied  to  a  proof  state,  in  the  proof 
of  the  reflexivity  lemma  above  for  example,  initially,  there  are  two  possible  splits  on  T  and 
E,  and  in  the  subsequent  lam-case,  there  are  three,  and  in  the  app  case,  there  are  even  four. 
Splitting  typically  generates  several  new  proof  goals,  and  each  of  them  is  pumped  through  the 
recursion  operation  to  compute  the  result  of  all  inductive  calls.  Naturally,  new  assumptions 
added  by  recursion  may  be  subject  to  further  splitting  steps  at  later  stages  of  the  proof.  The 
new  proof  goals  are  added  to  the  proof  state. 

In  the  case  that  neither  a  filling  operation  nor  a  splitting  operation  can  be  successfully  applied 
to  a  proof  goal,  the  meta-theorem  prover  halts  and  reports  that  a  proof  can  not  be  found.  In 
the  case  that  the  filling  operation  is  successful,  the  meta-theorem  simply  picks  another  proof 
goal  from  the  proof  state. 

The  most  difficult  decision  for  Twelf  is  to  select  the  assumption  from  the  context  of  a  proof 
goal  about  which  variable  to  split  next.  The  current  implementation  employs  a  very  simple  and 
in  a  few  cases  unsatisfactory  heuristic:  for  example,  it  will  never  split  a  variable  that  appears 
as  an  index  to  a  type  of  any  other  variable,  and  among  the  remaining  choices  it  picks  a  variable 
that  has  been  part  of  a  splitting  operation  the  least  number  of  times.  There  are  a  few  other 
bits  of  information  which  influence  its  choice,  such  as  for  example,  the  position  of  the  variable 
in  the  induction  order,  or  the  number  of  cases  generated.  Concretely,  we  attach  a  counter  to 
every  splittable  variable  in  the  context  of  a  proof  state  which  is  increased  and  inherited  by  the 
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children  of  a  the  variable  affected  by  a  splitting  operation.  To  avoid  infinite  chains  of  splitting- 
operations  the  meta  theorem  prover  is  parameterized  by  an  upper  bound  for  the  number  of 
splits  of  one  variable.  The  size  of  the  search  space  of  the  meta-theorem  prover  depends  crucially 
on  this  bound.  As  a  side  effect,  it  implies  fairness  of  the  splitting  operation  application,  since 
every  applicable  operations  will  eventually  be  applied.  Consequently  only  finitely  many  splitting 
operations  are  applicable. 

8.3.4  Correctness 

The  correctness  argument  for  the  implementation  of  the  meta-theorem  prover  follows  the  cor¬ 
rectness  argument  of  the  LF  theorem  prover.  The  meta-theorem  prover  relies  on  complicated 
operations  that  are  very  difficult  to  verify,  such  as  splitting,  filling,  and  recursion.  Therefore, 
we  should  not  trust  the  implementation  of  the  meta-theorem  prover.  Instead,  we  should  trust 
an  independent  proof  checker,  that  verifies  the  correctness  of  the  proofs  generated  by  the  meta¬ 
theorem  prover. 

Proof-checking  for  is  decidable  since  every  proof  term  constructor  uniquely  determines 
the  most  recently  applied  rule.  Despite  this  observation  an  implementation  an  independent 
proof  checker  for  M  J  is  significantly  more  complicated  than  a  type  checker  for  LF  because  in 
addition  it  also  has  to  verify  the  termination  Condition  (5.1),  the  coverage  Condition  (5.2),  and 
the  strictness  Condition  (5.3).  The  decision  procedure  for  the  syntactic  criterion  for  the  coverage 
condition  is  particularly  difficult  to  verify  because  it  relies  on  the  correctness  of  the  unification 
algorithm  that  we  have  defined  in  Section  7.3. 

The  current  implementation  does  not  provide  an  independent  proof  checker  for  it  is  still 
work  in  progress.  A  proof-checker  for  will  satisfy  the  same  conditions  as  the  schema-checker 
for  LF  was  designed  to  verify  [Roh96],  namely  type  preservation,  termination,  and  progress.  The 
main  difference  between  both  approaches  is  that  the  M  J  proof-checker  verifies  properties  about 
functions  in  ?  whereas  the  schema- checker  verifies  properties  about  relations  represented  in 
LF  under  a  logic  programming  interpretation.  For  the  purpose  of  verification,  the  M  J  proof- 
checker  can  take  full  advantage  of  the  type  system  of  M  J,  all  necessary  algorithms  are  described 
in  this  thesis.  The  schema  checker  on  the  other  hand  does  not  enjoy  the  luxury  of  a  formal  meta¬ 
logic,  it  is  merely  designed  to  guarantee  termination  and  coverage  properties  of  logic  programs 
and  proofs. 

The  idea  of  reducing  the  problem  of  correctness  away  from  the  tool  itself  towards  the  instances 
the  tool  generates  is  not  new.  Pollack  [Pol97]  for  example  distinguishes  between  the  correctness 
of  the  method  and  the  correctness  of  the  proofs. 

Clearly,  the  method  behind  the  implementation  of  the  meta-theorem  prover  in  Twclf  is  in 
principal  correct  because  it  constructs  M ^  proof-terms,  and  M  J  is  sound  by  Theorem  7.28.  To 
judge  if  the  implementation  itself  is  correct,  we  propose  a  small  and  independent  proof-checker 
that  checks  each  proof  term  —  its  design  is  well-understood,  but  it  is  not  yet  implemented 
the  current  version  of  Twelf.  However,  a  custom  made  proof  checker  is  not  necessary,  if  we  can 
devise  an  algorithm  that  translates  Twelf  meta-proofs  over  higher-order  encodings,  into  proofs 
readable  and  verifiable  by  traditional  theorem  provers.  By  doing  so,  the  verification  problem 
moves  away  from  M \  into  a  logic  which  supports  standard  induction  principles,  which  relies  on 
the  closed  world  assumption,  and  for  which  there  are  numerous  independent  implementations. 
Naturally,  after  a  translation,  the  proofs  explode  in  size  because  every  appeal  to  a  substitution 
lemma,  weakening  lemma,  or  exchange  lemma  has  to  be  made  explicit. 
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One  such  translation  technique  uses  de  Bruijn  indices  [dB72]:  variable  occurrences  are  trans¬ 
lated  into  natural  numbers.  Note,  that  the  correctness  of  this  technique  relies  on  the  correctness 
of  the  transformation  function  itself.  There  are  many  (more  or  less)  trusted  proof  checkers  that 
can  verify  de  Bruijn  encodings  and  standard  induction  principles,  such  as  for  example  HOL 
[GM93],  LCF/ML  [Pau87],  Coq  [CT95],  Lego  [Pol94],  Isabelle  [Pau94],  or  PVS  [OSRSC99]. 

8.3.5  Limitations 

The  current  implementation  of  the  meta-theorem  prover  in  Twelf  is  an  experimental  prototype. 
Therefore  it  has  several  limitations.  Some  of  the  limitations  are  easily  generalizable  others  open 
entire  new  research  areas.  The  implementation  has  one  limitation  that  is  due  to  specialization. 
In  its  current  form,  the  meta-theorem  prover  is  restricted  to  handle  only  one  variable  block  p  in 
the  context  T  of  any  proof  goal.  In  a  situation  where  more  than  one  variable  block  is  required, 
the  theorem  prover  fails  due  to  incompleteness.  This  restriction  will  be  removed  in  the  next 
release. 

A  more  severe  limitation  is  due  to  the  choice  of  the  splitting  variable.  Currently,  the  assump¬ 
tion  to  be  split  is  chosen  by  a  heuristic,  and  in  some  cases  it  commits  to  the  right  choice,  but  in 
general  it  does  not.  The  heuristic  implemented  in  the  current  prototype  is  sufficient  for  many 
examples  and  surprisingly  effective  despite  its  simplicity,  but  the  general  case  is  not  well  under¬ 
stood.  In  particular,  failure  situations  in  which  no  splitting  operation  makes  progress  should  be 
be  recognized  early  in  the  proof  but  are  not  in  the  current  implementation.  The  objective  must 
be  to  not  further  explore  unpromising  branches  and  provide  good  feedback  to  the  user  of  why 
the  proof  cannot  be  found. 

Therefore,  all  possible  splitting  operators  that  are  applicable  to  a  particular  proof  goal  should 
be  ordered  in  such  a  way  that  the  “right”  splitting  operation  is  among  those  that  rank  very  highly. 
Splitting  operations,  that  do  not  advance  the  proof  should  rank  very  low  in  this  ordering.  Only 
with  a  better  understanding  of  what  constitutes  a  good  splitting  operation,  the  meta-theorem 
prover  stands  a  chance  to  formulate  helpful  error  message  that  may  indicate  that  a  lemma  is 
missing  or  that  the  current  formula  to  be  proven  must  be  further  generalized. 

The  meta-theorem  prover  works  only  for  the  n2-fragment  of  M%.  Recall  that  provides 
very  few  connectives  for  on  the  level  of  theorems.  In  many  situations,  however,  Twelf  users 
would  like  to  formulate  and  prove  theorems  that  lie  outside  the  Il2-fragment,  but  the  meta¬ 
logic  M2  does  not  support  these  kind  of  theorems.  In  other  situations,  one  may  desire  to 
use  other  connectives  than  quantification  and  conjunction,  such  as,  for  example,  disjunction, 
implication,  or  negation  (see  also  the  remark  on  typing  continuations  in  Section  7.1.4).  Luckily, 
for  special  instances,  disjunctions  and  negations  can  be  encoded  directly  in  LF,  and  therefore 
this  incompleteness  of  is  not  as  grave  as  it  looks  at  first  sight. 

Yet  another  connective  that  is  also  not  provided  by  but  desired  by  many  Twelf  users  is 
the  ability  to  express  unique  existence.  The  reflexivity  lemma  from  above,  for  example,  can  be 
expressed  as 

VT  :  tp.  V£  :  term  T.  :  E  =4-  ET 

where  the  31  quantifier  expresses,  that  there  exists  exactly  one  object  of  type  E  ==>  E.  One 
remedy  to  enhance  the  expressiveness  of  the  meta-logic  is  to  explicitly  add  equality;  if  D\  and 
Di  are  two  objects  of  type  E  =>•  E  then  D  \  equals  Dv .  We  postpone  any  further  speculation 
on  how  equality  can  be  added  to  the  meta-logic  until  Section  9.1.3. 
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Finally,  another  limitation  of  the  implementation  of  the  meta-theorem  prover  is  that  it  does 
not  explicitly  construct  any  proof  terms  yet.  Internally,  they  are  there  because  all  the  three 
basic  operations  such  as  splitting,  recursion,  and  filling,  are  directly  associated  with  the  recipe 
of  how  to  construct  them;  but  in  the  current  version  Twelf  does  not  export  them.  Therefore, 
M% -proofs  are  currently  not  verifiable  by  any  other  independent  and  trusted  proof  checker. 
This  limitation  will  disappear  with  the  next  version. 


8.4  A  Case  Study 

In  this  section  we  present  as  case  study  the  entire  development  of  the  Clmrch-Rosser  example 
from  Chapter  2,  and  automated  versions  of  the  meta-proofs  form  Chapter  4  in  Twelf.  We 
proceed  with  the  presentation  in  two  steps.  First,  we  give  a  brief  overview  about  Twelf  and 
comment  on  the  concrete  syntax  implemented  in  the  Twelf  system  in  Section  8.4.1,  and  then  we 
present  the  development  of  the  Church-Rosser  theorem  in  Section  8.4.2. 

8.4.1  A  Brief  Overview  of  Twelf 

Twelf  implements  the  logical  framework  LF;  signatures  represent,  all  type  level  and  object  level 
constant  declarations  and  are  written  in  regular  ASCII  files  and  can  lie  loaded  into  Twelf.  Twelf 
employs  a  powerful  type  reconstruction  algorithm  that  allows  the  user  to  be  brief  and  concise. 
For  example,  the  signatures  for  the  Church-Rosser  theorem  from  Figure  2.2  and  Figure  3.1  can 
be  directly  loaded  into  Twelf.  It  is  this  elegant  correspondence,  that  makes  Twelf  an  ideal  rapid 
prototyping  tool  for  the  design  of  logics  and  programming  languages.  However,  this  thesis  docs 
not  account  for  all  details  and  features  that  the  Twelf  system  offers.  Instead  we  invite  the  reader 
to  consult  the  Twelf  manual  [PS98]  and  Pfenning’s  book  [PfeOO]  for  a  complete  presentation  of 
of  the  Twelf  system  and  many  more  examples. 

We  begin  the  discussion  with  defining  lexical  conventions  before  we  present  the  concrete 
syntax  for  encoding  LF  signatures  in  Twelf.  Finally  we  introduce  the  syntax  of  how  to  express 
theorems,  and  proofs  in  Twelf. 

Lexical  Conventions 

The  lexical  analysis  of  Twelf  has  purposely  been  kept  simple,  with  few  reserved  characters  and 
identifiers.  As  a  result  one  may  need  to  use  more  whitespace  to  separate  identifiers  than  in  other 
languages.  For  example,  A->B  or  A+B  are  single  identifiers,  while  A  ->  B  and  A  +  B  both  consist 
of  3  identifiers.  During  parsing,  identifiers  are  resolved  as  reserved  identifiers,  constants,  bound 
variables,  or  free  variables,  following  the  usual  rules  of  static  scoping  in  A-calculi.  Figure  8.2 
lists  all  reserved  characters  in  Twelf. 

All  printing  characters  that  are  not  reserved  can  be  included  in  identifiers,  which  are  sepa¬ 
rated  by  whitespace  or  reserved  characters.  In  particular,  A->B  is  an  identifier,  whereas  A  ->  B 
stands  for  the  type  of  functions  from  A  to  B.  An  uppercase  identifier  is  one  which  begins  with 
an  underscore  _  or  a  letter  in  the  range  A  through  Z.  A  lowercase  identifier  begins  with  any 
other  character  except  a  reserved  one.  Numbers  also  count  as  lowercase  identifiers  and  are  not 
interpreted  specially.  Free  variables  in  a  declaration  must  be  uppercase,  bound  variables  and 
constants  may  be  either  uppercase  or  lowercase  identifiers. 
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i  ’ 

C  •) 

colon,  constant  declaration  or  ascription 
period,  terminates  declarations 

‘( )’ 

parentheses,  for  grouping  terms 

llV 

brackets,  for  A-abstraction 

)’ 

i  5 

braces,  for  quantification  (dependent  function  types) 

whitespace  separates  identifiers  (space,  newline,  tab,  carriage  return) 

T 

introduces  comments  or  special  keyword  declarations 

7.  T/.’ 

comment  terminated  by  the  end  of  the  line,  may  contain  any  characters 

7«{  }%’ 

delimited  comment,  nested  °/0{  and  }°/0  must  match 

“/.keyword. ’ 

various  declarations 

7..’ 

end  of  input  stream 

mi 

doublequote,  disallowed  other  printing  characters  identifier  constituents 

Figure  8.2:  Reserved  identifiers 


4->7  function  type 

4<-7  reverse  function  type 

4_7  hole,  to  be  filled  by  term  reconstruction 

4=7  definition 

‘type7  the  kind  type 


Figure  8.3:  Reserved  identifiers  with  predefined  meaning 


Figure  8.3  depicts  the  five  reserved  identifiers  with  a  predefined  meaning  which  cannot  be 
changed.  These  can  be  constituents  of  other  identifiers  which  are  not  interpreted  specially. 
Constants  have  static  scope,  which  means  that  they  can  be  shadowed  by  subsequent  declarations. 
Uppercase  identifiers  in  declarations  represent  schematic  variables. 

Syntax  for  LF 

In  LF,  deductive  systems  are  represented  by  signatures  consisting  of  constant  declarations. 
Twelf  implements  declarations  in  a  straightforward  way  and  generalizes  signatures  by  also  al¬ 
lowing  definitions  which  are  semantically  transparent  [PS99a].  Twelf  currently  does  not  have 
module-level  constructs  in  the  spirit  of  [HP98]  and  therefore,  for  example,  signatures  cannot  be 
named.  Instead,  multiple  signatures  can  be  manipulated  in  the  programming  environment  using 
configurations. 

The  LF  type  theory  is  stratified  into  three  levels:  objects,  types,  and  kinds.  Twelf  does  not 
syntactically  distinguish  these  levels  and  simply  uses  one  syntactic  category  of  term.  Similarly, 
object-level  constants  and  type-level  constants  as  well  as  variables  share  one  name  space  of 
identifiers. 

The  grammar  depicted  in  Figure  8.4  formalizes  the  logical  framework  LF  from  Section  2.4. 
It  defines  the  non-terminals  sig:  decl ,  term  and  uses  the  terminal  id  which  stands  for  identifiers. 
There  are  various  special  declarations  °/0 keyword  such  as  °/0inf  ix  or  70theorem  with  special  argu¬ 
ments,  such  as  ixdecl ,  thdecl ,  pdecl ,  or  callpats  which  we  discuss  in  detail  below.  Note,  that  this 
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sig 

Empty  signature 

i 

decl  sig 

Constant  declaration 

decl 

id  :  term, . 

a  :  K  or  c  :  A 

l 

id  :  term  =  term, . 

d  :  A  =  M 

l 

id  =  term, . 

d=M 

l 

_  :  term,  =  term . 

anonymous  definition,  for  type-checking 

l 

_  =  term . 

anonymous  definition,  for  type-checking 

l 

°/0infix  ixdecl . 

operator  declaration 

i 

°/0name  id  id. 

name  preference  declaration 

l 

0/otheorem  thdecl . 

theorem  declaration 

1 

#/0prove  pdecl . 

prove  declaration 

1 

^establish  pdecl . 

prove  declaration,  don’t  make  available  as  lemma 

l 

^assert  callpats . 

assert  theorems  (only  in  unsafe  mode) 

Figure  8.4:  Concrete  syntax  of  Twelf 


term,  ::— 

type 

type 

i 

id 

variable  x  or  constant  «,  c,  or  d 

i 

term,  ->  term, 

A-+B 

i 

term  <-  term 

A  <r-  B,  same  as  B  — >  A 

i 

{id  :  term}  term 

Ux  :  A.  K  or  n./:  :  A.  B 

i 

[id  :  term, ]  term, 

Xx  :  A.  B  or  Xx  :  A.  M 

i 

term,  term . 

A  M  or  M  N 

1 

term,  :  term, 

explicit  type  ascription 

l 

- 

hole,  to  be  filled  by  term  reconstruction 

l 

{id}  term, 

same  as  {  id :  _}  term 

l 

[id]  term, 

same  as  [id:J  term 

Figure  8.5:  Syntax  for  terms 


is  only  a  brief  description  of  Twelf,  there  are  many  other  special  declarations  that  we  do  not 
describe  here;  we  restrict  this  presentation  only  to  the  ones  that  are  relevant  to  the  development 
of  the  Church-Rosser  theorem  that  we  describe  in  Section  8.4.2. 

The  syntax  for  terms  is  depicted  in  Figure  8.5.  The  constructs  {x:U}  V  and  [x:U]  V  bind 
the  identifier  x  in  V,  which  may  shadow  other  constants  or  bound  variables.  As  usual  in  type 
theory,  U  ->  V  is  treated  as  an  abbreviation  for  {x:U}  V  where  x  does  not  appear  in  V.  However, 
there  is  a  subtlety  in  that  the  latter  allows  an  implicit  argument  to  depend  on  x  while  the  former 
does  not.  We  shed  some  light  on  implicit  arguments  later  in  this  section. 

In  the  order  of  precedence,  we  disambiguate  the  syntax  as  follows:  Juxtaposition  (applica¬ 
tion)  is  left  associative  and  has  highest  precedence.  ->  is  right  and  <-  left  associative  with  equal 
precedence.  :  is  left  associative.  {}  and  []  are  weak  prefix  operators. 

New  type  level  and  object  level  constants  can  be  introduced  with  id  :  term . .  Any  identifier  x 
may  be  bound  by  the  innermost  enclosing  binder  for  x  of  the  form  {x :  A}  or  [x :  A] .  Any  identifier 
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assoc 

none 

not  associative 

|  left 

left  associative 

right 

right  associative 

prec 

nat 

0  <  prec  <  10000 

ixdecl 

::=  assoc  prec  id 

Figure  8.6:  User-defined  infix  operators 


which  is  not  explicitly  bound  may  be  a  declared  or  defined  constant.  Any  uppercase  identifier, 
that  is,  identifier  starting  with  _  (underscore)  or  an  upper  case  letter,  may  be  a  free  variable. 
Free  variables  are  interpreted  universally  and  their  type  is  inferred  from  their  occurrences.  Any 
other  undeclared  identifier  is  flagged  as  an  error. 

Twelf  supports  notational  definitions,  currently  employing  a  restriction  to  allow  a  simple  and 
efficient  internal  treatment.  Semantically,  definitions  are  completely  transparent,  that  is,  both 
for  type  checking  and  the  operational  semantics  definitions  may  be  expanded.  Definitions  id  : 
term  =  term .  and  id  =  term .  (which  is  equivalent  to  id  :  _  =  term.)  can  only  be  made  on 

the  level  of  objects,  not  at  the  level  of  type  families  because  the  interaction  of  such  definitions 
with  logic  programming  search  has  not  been  fully  investigated. 

In  order  to  avoid  always  expanding  definitions,  Twelf  currently  only  permits  strict  definitions 
[PS99a].  A  definition  of  a  constant  c  is  strict  if  all  arguments  to  c  (implicit  or  explicit)  have 
at  least  one  strict  occurrence  in  the  right-hand  side  of  the  definition,  and  the  right-hand  side 
contains  at  least  one  constant.  In  practice,  most  notational  definitions  are  strict. 

The  user  may  declare  constants  to  be  infix  operators.  Operator  precedence  properties  are 
associated  with  constants,  which  must  therefore  already  have  been  declared  with  a  type  or  kind 
and  a  possible  definition.  It  is  illegal  to  shadow  an  infix  operator  with  a  bound  variable.  We 
use  nat  for  the  terminal  natural  numbers  in  Figure  8.6.  During  parsing,  ambiguous  successive 
operators  of  identical  precedence  such  as  a  <-  b  ->  c  are  flagged  as  errors.  Note  that  it  is  not 
possible  to  declare  an  operator  with  equal  or  higher  precedence  than  juxtaposition  or  equal  or 
lower  precedence  than  ->  and  <-. 

During  printing,  Twelf  frequently  has  to  assign  names  to  anonymous  variables.  In  order 
to  improve  readability,  the  user  can  declare  a  name  preference  ’/name  id  id.  for  anonymous 
variables  based  on  their  type.  Thus  name  preferences  are  declared  for  type  family  constants. 
Note  that  name  preferences  are  not  used  to  disambiguate  the  types  of  identifiers  during  parsing. 

Following  our  same  conventions,  a  name  preference  declaration  has  the  form  70name  a  id, 
that  is,  the  first  identifier  must  be  a  type  family  already  declared  and  the  second  is  the  name 
preference  for  variables  of  type  a.  The  second  identifier  must  be  uppercase,  that  is,  start  with  a 
letter  from  A  through  Z  or  an  underscore  _.  Anonymous  variables  will  then  be  named  idl,  id2, 
etc. 

Representations  of  deductions  in  LF  typically  contain  a  lot  of  redundant  information.  In 
order  to  make  LF  practical,  Twelf  gives  the  user  the  opportunity  to  omit  redundant  information 
in  declarations  and  reconstructs  it  from  context.  Unlike  for  functional  languages,  this  requires 
recovering  objects  as  well  as  types,  so  we  refer  to  this  phase  as  term  reconstruction. 

There  are  criteria  which  guarantee  that  the  term  reconstruction  problem  is  decidable,  but 
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unfortunately  these  criteria  are  either  very  complicated  or  still  force  much  redundant  information 
to  be  supplied.  Therefore,  the  Twelf  implementation  employs  a  reconstruction  algorithm  which 
always  terminates  and  gives  one  of  three  answers: 

1.  yes,  and  here  is  the  most  general  reconstruction; 

2.  no,  and  here  is  the  problem;  or 

3.  maybe. 

The  last  characterizes  the  situations  where  there  is  insufficient  information  to  guarantee  a 
most  general  solution  to  the  term  reconstruction  problem.  Because  of  the  decidable  nature  of 
type-checking  in  LF,  the  user  can  always  annotate  the  term  further  until  it  falls  into  one  of  the 
definitive  categories.  For  a  detailed  discussion  on  many  examples  related  to  type  reconstruction 
consult  [PS98] . 


Syntax  for 

There  are  four  special  declarations  that  define  the  interaction  with  the  meta-theorem  prover. 
The  first  declaration  is  "/theorem,  that  declares  an  -formula  that  is  to  be  proven  using  either 
%prove,  "/establish,  or  °/0assert.  "/prove  and  "/establish  take  as  argument  the  maximal  filling 
bound,  that  restricts  the  size  of  the  search  space  of  the  LF  theorem  prover,  an  induction  ordering, 
and  a  call  pattern  that  relates  the  induction  variables  to  the  actual  arguments  of  the  theorem. 
°/«assert  on  the  other  hand  only  expects  a  call  pattern.  It  allows  to  assort  the  correctness  of  a 
theorem  even  if  Twelf  cannot  prove  it.  Naturally,  in  a  valid  proof  development  no  "/assert  is 
admissible.  Hence,  in  order  to  take  advantage  of  this  feature,  the  user  has  to  toggle  Twelf  into 
unsafe  mode. 

The  syntax  for  theorems  is  defined  in  Figure  8.7.  Abstractly,  arbitrary  quantifier  alternations 
are  allowed,  but  Twelf  rejects  any  formula  that  lies  outside  the  IU-fragment  of  A4^  -  The  f  orallG 
quantifier  binds  a  context  schema  that  defines  a  regular  extension  to  the  current  world  described 
by  a  context  schema  for  which  the  theorem  is  to  be  proven  that  is  denoted  by  the  non-terminal 
symbol  regext.  The  some  decs  pi  decs-blocks  describe  the  individual  context  blocks  in  terms  of 
a  SOME-block  and  a  BLOCK-block.  forall  and  forall*  are  two  different  notations  for  the 
same  universal  quantifier.  The  difference  between  the  two  is  negligible  in  the  current  version. 
If  Twelf  would  generate  proof  terms,  the  forall  ^-quantifier  defines  which  universal  quantified 
variables  are  implicit  and  need  not  to  be  displayed  in  the  proof  term.  The  existential  quantifier 
and  T  have  the  expected  meaning. 


Example  8.4  (Diamond  lemma  in  Twelf)  The  diamond  Lemma  4.G  can  be  expressed  in 
Twelf  as  formula 


"/theorem  dia  :  forallG 
forall* 
forall 
exists 
true . 


(some  {A:tp>  pi  {x:  term  A}  {idx  :  x  =>  x}) 
{A:tp}{M:term  A}{MJ :term  A}{M?,:term  A} 

{Dl:  M  =>  M>}  {D2:  M  => 

{N : term  A}{E1 :  =>  N}{E2  :  M>5  =>  N} 


238 


CHAPTER  8.  TWELF 


239 


dec 

::=  {id:  term} 

x  :  A 

decs 

::=  dec 

singleton  block 

dec  decs 

block  of  declarations 

regext 

::=  some  decs  pi  decs 

context  block 

some  decs  pi  decs  \  regext 

context  schema 

formula 

::=  forallG  regext  formula 

Quantification  over  regular  contexts 

forall*  decs  formula 

implicit  universal 

forall  decs  formula 

universal 

exists  decs  formula 

existential 

I  true 

truth 

thdecl 

::=  id  :  formula 

Assigning  a  name  to  a  formula 

Figure  8.7:  Syntax  for  M ^"-formulas  in  Twelf 


The  argument  to  the  forallG  quantifier  defines  the  regular  extension  of  the  world,  the  three 
bound  arguments  M,  M5,  MJ  J  are  implicit;  once  a  proof  term  is  generated  (see  Figure  4.4)  it  only 
expects  two  arguments  D1  and  D2  and  not  five.  The  forall  quantifier  binds  D1  and  D2  and 
exists  binds  the  three  returning  arguments  N,  El,  and  E2. 

More  examples  of  theorems  are  described  below  in  Section  8.4.2.  In  summary,  Twelf  only 
accepts  formulas  of  the  ^-fragment,  i.e.  of  the  form 

forallG  regext  forall*  decs  forall  decs  exists  decs  true. 

After  its  declaration  a  theorem  is  subject  to  automated  proof  search.  It  is  initiated  by  a  °/0prove 
declaration  that  expects  as  arguments  the  maximal  filling  depth,  and  an  induction  order.  The 
induction  order  associates  argument  positions  of  the  theorem  via  call  patterns.  A  call  pattern 
consists  of  the  name  of  the  theorem  applied  to  as  many  arguments  as  there  are  °/0forall  and 
Sexists  quantified  declarations  (it  should  be  read  as  a  relation  that  associates  input  positions 
with  output  positions).  Each  argument  can  be  either  named  or  anonymous.  Admissible  in¬ 
duction  orders  include  lexicographic  and  simultaneous  extensions  of  the  subterm  ordering  as 
explained  in  Section  7.2.  Their  syntax  in  Twelf  is  depicted  in  Figure  8.8. 

The  case  of  mutually  recursive  predicates  is  particularly  complex  and  requires  mutually 
dependent  call  patterns  with  mutually  related  arguments.  Their  syntax  is  given  in  Figure  8.9. 

Example  8.5  (Call  pattern  for  diamond  lemma)  There  are  several  call  patterns  for  the 
diamond  lemma:  The  most  complete  is  dia  D1  D2  N  El  E2  but  in  general  one  typically 
specifies  only  those  arguments  in  the  call  pattern  that  are  needed  in  an  induction  ordering 
dia  D1  D2 _ . 

All  variables  used  to  specify  an  induction  order  for  °/«prove  declaration  must  be  upper  case, 
and  they  must  occur  in  the  call  patterns.  In  addition,  no  variable  may  be  repeated.  Furthermore, 
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ids 

|  id  ids 

empty  list  of  arguments 
argument  name 

arg 

id 

|  (ids) 

single  argument 
mutual  arguments 

orders 

order  orders 

empty  list  of  orders 
component  order 

order 

::=  ar9 

{orders} 

[ orders ] 

subterm  order 
lexicographic  order 
simultaneous  order 

Figure  8.8:  Syntax  for  induction  orders  in  Twelf 


args 

no  argument 

id  args 

named  argument 

_  args 

anonymous  argument 

callpat 

::=  id  args 

(1>  CC  \  ...  CL  ji 

callpats 

( callpat ) 

single  call  pattern 

( callpat )  callpats 

mutual  call  patterns 

Figure  8.9:  Syntax  for  call-patterns  in  Twelf 


pdecl  ::=  nat  order  callpats  bound,  induction  order,  theorems 


Figure  8.10:  Syntax  for  proof  declarations  in  Twelf 
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all  arguments  participating  in  the  termination  order  must  occur  in  the  call  patterns  in  input 
positions:  The  argument  vector  pdecl  to  a  ‘/.prove  declaration  is  depicted  in  Figure  8.10. 

In  order  to  accept  a  declaration  of  the  form  "/.prove,  or  "/.establish,  Twelf  activates  the 
meta-theorem  prover  and  attempts  to  construct  a  proof.  If  the  meta-theorem  prover  reports 
failure,  Twelf  halts  with  an  error  message  that  a  proof  could  not  be  found.  On  the  other  hand  if 
i  it  finds  a  proof  it  applies  skolemization  and  makes  the  lemma  accessible  for  subsequent  proofs. 

However,  adding  new  Skolem  constants  may  lead  to  an  explosion  of  the  respective  search  spaces 
for  subsequent  theorem  proving  task.  The  user  can  prevent  these  additions  by  using  ‘/.establish 
,  instead  of  "/.prove. 

The  meta-theorem  prover  implementation  has  only  prototype  status.  Its  proof  strategy  is 
simple  yet  powerful,  but  in  some  situations  Twelf  is  not  able  to  find  a  proof  because  of  search 
space  explosions,  due  to  continuous  splits  of  wrong  assumptions  or  the  complexity  of  elementary 
reasoning  in  LF.  Twelf  offers  a  way  that  the  user  can  continue  the  development  by  simply 
asserting  that  a  theorem  holds.  Obviously,  this  is  a  rather  dangerous  operation,  and  it  requires 
the  user  to  put  Twelf  into  unsafe  mode  from  the  Twelf  main  menu.  Different  from  ’/.prove, 
"/.assert  followed  by  a  call  pattern  asserts  a  theorem  without  proving  it.  This  unsafe  option  of 
Twelf  should  only  be  used  with  extreme  care. 

8.4.2  Developing  the  Church-Rosser  Theorem  in  Twelf 

We  begin  this  case  study  with  encoding  the  LF  declarations  from  Figure  2.2.  In  essence  we 
replay  almost  exactly  the  development  from  Chapter  2.  Here  are  the  declaration  of  the  types 
tp  and  terms  term. 

tp  :  type.  ’/.name  tp  T. 

arrow  :  tp  ->  tp  ->  tp.  ‘/.infix  right  10  arrow. 

term  :  tp  ->  type.  ‘/.name  term  E. 

lam  :  (term  T1  ->  term  T2)  ->  term  (T1  arrow  T2) . 
app  :  term  (T1  arrow  T2)  ->  term  T1  ->  term  T2. 

We  follow  the  development  in  Section  2.5  and  introduce  the  ordinary  reduction  relation  for 
simply-typed  terms.  ‘ — >’  is  a  type  family  representing  the  single  step  reduction  from  a  term  of 
type  A  to  another  term  of  the  same  type.  We  declare  it  as  infix  operator. 

— >  :  term  T  ->  term  T  ->  type,  ‘/.infix  none  10  — >. 

‘/.name  — >  R. 


rbeta  : 

(app  (lam  El)  E2) 

— >  El  E2 . 

rlam  : 

({x:term  Tl}  E  x 

— >  E>  x) 

-> 

(lam  E) 

— >  (lam  E’) 

rappl  : 

El  --> 

El’ 

-> 

(app  El  E2)  — > 

(app  El’  E2) 

rapp2  : 

E2  —  > 

E2’ 

-> 

(app  El  E2)  — > 

(app  El  E2’) 
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Next,  the  single  step  reduction  relation  is  generalized  to  a  multi  step  reduction  relation 
‘ — >*’  by  defining  its  reflexive  and  transitive  closure.  1 — >*’  is  used  as  an  infix  operator.  The 
two  inference  rules  are  represented  by  rid  and  rstep. 


— >*  : 

term  T  ->  term  T  ->  type. 

#/,infix  none  10  — >* 
'/♦name  — >*  R*. 

rid 

:  E  -->*  E. 

rstep 

E  — >  E> 

->  E>  — >*  E’ > 
->  E  -->*  E>  ’ . 


And  finally,  the  ordinary  reduction  relation  can  be  generalized  to  a  conversion  relation  by 
building  the  reflexive,  transitive,  and  symmetric  closure  of  the  ordinary  multi-step  reduction 
relation. 

<->  :  term  T  ->  term  T  ->  type.  °/0infix  none  10  <->. 

%name  <->  C. 


rrefl  : 

rred  : 

-> 


rsymm  : 

-> 


E  <->  E. 

E  — >*  E; 
E  <->  E; . 

E  <->  E; 
E>  <->  E. 


rtrans : 

-> 

-> 


E  <->  E; 

E*  <->  E' ’ 

E  <->  E’  * . 


We  formalize  the  single-step  parallel  reduction  relation  in  Twelf,  which  we  generalize  to  a 
multi-step  parallel  reduction,  and  parallel  conversion,  as  already  depicted  in  Figure  3.1.  Note, 
that  declarations  in  Twelf  syntax  are  in  very  direct  correspondence  to  the  LF  declarations  given 
in  Chapter  3.  It  is  this  elegance,  that  gives  Twelf  the  expressive  power  and  the  meta-theorem 
prover  its  deductive  power. 


=>  :  term  T  ->  term  T  ->  type.  #/0infix  none  10  => . 

°/0name  =>  R. 


pbeta  :  ({xrterm  T}  x  =>  x  ->  El  x  =>  El*  x) 
~>  E2  =>  E2> 

~>  (app  (lam  El)  E2)  =>  El ?  E2>. 


papp  : 

-> 


El  =>  El  * 
E2  =>  E2 } 
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->  (app  El  E2)  =>  (app  El*  E25). 

plain  :  ({x:term  T}  x  =>  x  ->  E  x  =>  E5  x) 

->  lam  E  =>  lam  E* . 

As  for  ordinary  reduction,  the  single  step  parallel  reduction  can  be  generalized  to  a  multi- 
step  parallel  reduction,  just  as  discussed  in  Section  3.2.2.  The  resulting  type  family  is  an  infix 
operator  c=>*’,  and  its  semantics  is  expressed  by  two  constants  in  Twelf  in  the  following  way. 

=>*  :  term  T  ->  term  T  ->  type.  #/0infix  none  10  =>*. 

#/0name  =>*  R*. 

pid  :  E  =>*  E. 

pstep  :  E  =>  E3 

->  E3  =>*  E33 

->  E  =>*  E;  ?  . 

And  again,  following  a  very  similar  strategy  as  in  the  ordinary  case,  the  concept  of  parallel 
conversion  is  the  result  of  closing  the  parallel  multi-step  reduction  under  reflexivity,  symmetry, 
and  transitivity. 

<=>  :  term  T  ->  term  T  ->  type.  °/0infix  none  10  <=>. 

°/0name  <=>  C. 

pred  :  E  =>*  E3 

->  E  <=>  E3 . 

pexp  :  E  =>*  E3 

->  E;  <=>  E. 

ptrans  :  E  <=>  EJ 

->  E3  <=>  E3  3 

->  E  <=>  E; > . 

This  concludes  the  encoding  of  the  simply-typed  A-calculus  and  its  ordinary  and  parallel  reduc¬ 
tion  semantics  in  Twelf.  Next  we  tackle  the  proof  of  the  Church- Rosser  theorem  itself;  and  again, 
the  elegance  of  Twelf  allows  us  to  follow  directly  the  development  as  described  in  Section  3.2.1 
very  closely.  In  order  to  emphasize  this  point,  we  show  all  theorems  from  Chapter  3  and  their 
formalizations  in  Twelf.  We  also  comment  on  the  timing  results  of  each  of  the  proofs. 

Lemma  3.1  (Transitivity  of  — A-  )  IfV\  ::  e  —4  e'  and  X>2  ::  ef  — 4  e"  then  e  e". 

This  lemma  can  be  directly  formalized  in  Twelf.  The  proof  goes  by  simultaneous  induction  over 
D1  and  D2,  and  the  search  space  of  the  underlying  LF  theorem  prover  is  limited  by  the  bound 
4.  All  experiments  with  the  Twelf  meta-theorem  prover  on  which  we  report  in  this  thesis  were 
conducted  on  a  Pentium  II  400,  with  192MB  of  RAM.  This  proof  of  the  transitivity  lemma  was 
found  in  0.01  sec. 
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“/theorem  trans*  :  forall*  {T:  tp}{E:  term  T}{EJ :  term  T}{EJ>:  term  T> 

,  •  forall  {Dl:  E  — >*  £’>{02:  E5  —  >*  E>>} 

exists  {R:  E  — >*  E;;} 
true . 

°/0prove  4  [Dl  D2]  (trans*  Dl  D2  _)  . 

Following  the  development  of  Section  3.2.1,  we  will  now  employ  Twelf  to  prove  all  three  parts 
of  Lemma  3.2. 

Lemma  3.2  (Admissible  rules) 

1.  IJVwe  e'  then  Xx  :  r.e  — 4-  Xx  :  r.  e! 

2.  IfV  ::  e\  —>  e[  then  e\  e 2  — e\  e 2 

3 .  If  V  ::  C‘2  e*2  then  e\  e\  ef2 

Only  because  of  the  inherent  similarity  of  the  three  properties  we  have  summarized  them  to 
one  lemma:  in  fact,  they  are  not  mutually  dependent  on  each  other.  Each  of  the  cases  can 
be  formalized  and  automatically  proven  in  Twelf.  The  first  case  rests  on  the  regular  world 
assumption.  Twelf  derives  the  admissibility  of  reductions  under  the  A-binder  in  0.25  sec  and  the 
other  two  parts  in  0.17  sec  and  0.024  sec,  respectively. 

"/otheorem  lm*  :  forallG  (some  {T:  tp}  pi  {x:  term  T}) 
forall*  {Tl:  tp}{T2:  tp} 

{E:  term  Tl  ->  term  T2}{E* :  term  Tl  ->  term  T2} 
forall  {D:  {x:  term  Tl}  (E  x)  — >*  (E*  x)} 
exists  {R:  (lam  E)  — >*  (lam  EJ)} 
true . 

°/0prove  4  D  (lm*  D  _)  . 

“/otheorem  apll*  :  forall*  {Tl:  tp}{T2:  tp} 

{El:  term  (Tl  arrow  T2)}{E1':  term  (Tl  arrow  T2)} 

{E2 :  term  Tl} 
forall  {D:  El  -->*  El;} 
exists  {R:  (app  El  E2)  — >*  (app  El*  E2)} 
true . 

°/0prove  3  D  (apll*  D  _)  . 

“/theorem  aprl*  :  forall*  {Tl :  tp}{T2:  tp} 

{El:  term  (Tl  arrow  T2)} 

{E2>:  term  T1}{E2:  term  Tl} 
forall  {D:  E2  — >*  E2>} 

exists  {R:  (app  El  E2)  — >*  (app  El  E2’)> 
true . 

‘/.prove  3  D  (aprl*  D  _)  . 
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The  informal  development  in  Section  3.2.3  continues  with  the  presentation  of  the  reflexivity 
lemma  4.3.  In  this  formal  development  on  the  other  hand,  we  postpone  its  proof  until  the  point 
where  we  prove  the  equivalence  of  ordinary  and  parallel  reductions.  Due  to  an  incompleteness  of 
Twelf,  Lemma  3.11  can  only  be  proven  simultaneously  with  Lemma  4.3  even  though  Lemma  4.3 
itself  could  be  proven  on  its  own.  Therefore  we  continue  the  formal  development  with  the 
transitivity  proof  for  parallel  deduction  whose  construction  takes  Twelf  merely  0.008  sec. 

Lemma  3.5  (Transitivity  of  )  If  V i  ::  e  ef  and  V 2  ::  e'  e"  are  closed  then 

* .  tt 

e  =>  e  . 

70theorem  trans  :  forallG  (some  {T:  tp}  pi  {x:  term  T}{idx  :  x  =>  x>) 
forall*  {T:  tp}{E:  term  T}{E; :  term  T}{E,J:  term  T} 
forall  {Dl:  E  =>*  E;HD2:  E3  =>*  E3  ’} 
exists  {R:  E  =>*  E3  ;> 
true . 

°/0prove  4  [Dl  D2]  (trans  Dl  D2  _) . 

Following  the  informal  development,  the  substitution  lemma  is  next: 

Lemma  3.6  (Substitution  lemma)  Consider  the  situation  where  a  list  of  the  following  as¬ 
sumptions  is  present 

X\  ::  term  Ti,  U\  ::  X\  xi, . . . ,  xn  ::  term  rn.  un  ::  xn  xn 


v 

- V 

y  =>  y 

ei  e\ 

and  V 2  ::  &2  ==>  then  exists  a  reduction  ei[e2 /y]  =>  e'Je^/y]. 

The  formalization  of  this  substitution  lemma  in  Twelf  makes  the  power  and  elegance  of  higher- 
order  representation  techniques  explicit.  The  assumption  Dl  stands  for  an  arbitrary  LF  function 
that  expect  y:term  T  and  v:y  =>  y  as  arguments.  Thus  the  formulation  of  a  substitution  and 
an  automated  proof  lie  well  outside  the  scope  of  any  other  first-order  theorem  prover.  Twelf  can 
prove  the  substitution  lemma  in  0.025  sec. 

'/.theorem  subst  :  forallG  (some  {T:  tp}  pi  {x:  term  TMidx  :  x  =>  x}) 
forall*  {Tl:  tp}{T2:  tp} 

{El:  term  Tl  ->  term  T2}{E1’:  term  Tl  ->  term  T2} 

{E2:  term  Tl  }{E2’:  term  Tl} 
forall  {Dl:  {x:  term  Tl}  x  =>  x  ->  El  x  =>  El’  x} 

{D2 :  E2  =>  E2>} 
exists  {R:  El  E2  =>  El’  E2’} 
true . 

'/.prove  6  Dl  (subst  Dl  _  . 
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The  diamond  lemma  from  Section  3.2.3  can  also  be  directly  formalized  in  Twelf. 

Lemma  3.7  (Diamond  lemma)  Let  be  the  list  of  given  assumptions.  If  V1  ::  e  =>  el 
and  Vr  ::  e  er  then  there  exists  a  common  reduct  e\  such  that  7 Zl  ::  e1  e!  and 

W  ::  er  =U  e' . 


e 


l 


nv  ■  ■  nr 


\ 


Its  proof  is  quite  involved,  as  we  have  shown  in  Section  3.2.3,  since  we  have  to  distinguish  many 
cases;  nevertheless,  Twelf  constructs  the  proof  in  8.625  sec. 


°/0theorem  dia  :  forallG  (some  {T:  tp}  pi  {x:  term  T}{idx  :  x  =>  x}) 
forall*  {T:  tp}{E:  term  T>{E1:  term  T}{Er:  term  T} 
forall  {Dl:  E  =>  El}{Dr:  E  =>  Er} 
exists  {E3  :  term  T}{R1 :  El  =>  E3}{Rr  :  Er  =>  E3} 
true . 

°/0prove  3  [Dl  Dr]  (dia  Dl  Dr  _  _  _) . 


In  order  to  prove  the  Church-Rosser  theorem  for  parallel  reduction,  we  generalized  the  two 
single-step  reduction  arrows  in  the  formulation  of  the  diamond  lemma  in  two  steps  to  multi-step 
reduction  arrows.  First  we  proved  the  strip  lemma,  and  second  the  confluence  lemma. 


Lemma  3.8  (Strip  lemma)  Let  4>  be  the  dynamic  extension  of  the  world.  If  V1  ::  e  =>  e 1 
and  Vr  ::  e  =>  er  then  there  exists  a  comm, on  reduct,  ef,  such  that  TZ\  ::  el  ef  and 

n2  ::  er  =U  e' . 


e 


*  • 


The  strip  lemma  is  easily  formalized  in  Twelf,  but  it  takes  surprising  335.266  sec  to  prove  it.  This 
is  a  real  surprise,  considering  how  simple  its  proof  actually  is.  Recall  from  Section  3.2.3,  that  it 
follows  by  a  simple  induction  on  the  multi-step  derivation  and  compare  it  to  the  complexity  of  the 
proof  of  the  diamond  lemma.  We  suspect  that  the  slow-down  is  caused  by  the  transitivity  rule 
in  connection  with  the  number  of  lemmas  introduced  so  far.  In  particular,  the  conclusion  of  the 
substitution  lemma  falls  outside  the  pattern  fragment  causing  the  underlying  LF  theorem  prover 
to  struggle  with  constraints;  in  addition  the  intermediate  term  whose  existence  is  postulated  by 
the  transitivity  rule  does  not  contribute  to  the  solution  of  those  constraints  at  all. 
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‘/.theorem  strip  :  forallG  (some  {T:  tp}  pi  {x:  term  T>{idx  :  x  =>  x>) 
forall*  {T:  tp}{E:  term  T}{E1:  term  T>{Er:  term  T> 
forall  {Dl:  E  =>  El}{Dr:  E  =>*  Er> 

exists  {E’:  term  T>{R1:  El  =>*  E’MRr:  Er  =>  EJ> 

true . 

% prove  4  [Dr]  (strip  _  Dr  _  _  _) . 

By  generalizing  the  remaining  single-step  reductions  of  the  strip  lemma,  to  multi-step  reductions, 
one  obtains  the  confluence  lemma. 

Lemma  3.9  (Confluence  lemma)  Let  $  be  the  dynamic  extension  of  the  world.  If  V1  :: 

e  ==>  el  and  Vr  ::  e  ==$■  er  then  there  exists  a  common  reduct  e' ,  such  that  1Z\  ::  el  =$>  e •! 

and  U2  er  ==$■  e' . 


■*.  /■ 

e' 


Because  of  the  same  effects  that  slowed  down  the  proof  of  the  strip  lemma,  the  proof  of  the 
confluence  lemma  is  significantly  slower  than  the  proof  of  the  substitution  or  the  diamond 
lemma.  It  takes  Twelf  40.989  sec  to  prove  it. 

‘/.theorem  conf  :  forallG  (some  {T:  tp}  pi  {x:  term  T}{idx  :  x  =>  x}) 
forall*  {T:  tpHE:  term  T}{E1:  term  THEr:  term  T} 
forall  {Dl:  E  =>*  El}{Dr:  E  =>*  Er} 
exists  {E’:  term  T}{R1:  El  =>*  E’HRr:  Er  =>*  E’} 
true . 

‘/.prove  4  Dl  (conf  Dl  _  _  _  . 

Following  the  development  from  Section  3.2.3,  it  is  now  possible  to  proof  the  Church-Rosser 
theorem  for  parallel  reduction. 


Theorem  3.10  (Church-Rosser)  Let  $  be  the  dynamic  extension  of  the  world.  IfT>  ::  el 
er  then  there  exists  a  common  reduct  e' ,  such  that  TZi  ::  el  =^>  e'  and  IZ2  ::  er 


*  / 
^  e'. 


V 


The  proof  goes  by  induction  on  D,  and  it  takes  Twelf  3.283  sec  to  construct  it. 

‘/.theorem  cr-par  :  forallG  (some  {T:  tp}  pi  {x:  term  T}{idx  :  x  =>  x}) 
forall*  {T :  tp}{El:  term  T}{Er:  term  T} 
forall  {D:  El  <=>  Er} 

exists  {E’ :  term  T}{R1:  El  =>*  E’HRr:  Er  =>*  E’} 
true . 

‘/.prove  3  D  (cr-par  D  _  _  _)  . 
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This  concludes  the  meta-theoretic  development  of  the  proof  of  the  Church-Rosser  theorem  for 
parallel  reduction.  The  reader  should  have  noticed,  that  the  formal  development  is  extremely 
close  to  the  informal  development.  Every  informal  proof  can  be  formalized  an  automatically 
deduced.  But  more  importantly,  no  additional  lemmas  arose  and  needed  to  be  proven!  Typically, 
a  development  like  this  in  a  first-order  based  system  with  standard  induction  principles  requires 
a  lot  of  special  infrastructure  to  encode  parametric  and  hypothetical  constructions  such  as 
explicit  encodings  of  variables  and  substitutions.  In  addition,  it  requires  a  lot  of  extra  meta- 
theoretic  reasoning  about  their  properties.  This  observation  clearly  justifies  the  use  of  higher- 
order  representation  techniques  in  order  to  support  an  elegant  development  of  the  meta-theory. 

We  continue  with  the  exposition  from  Section  3.2.3  and  derive  the  Church-Rosser  for  ordi¬ 
nary  reduction  in  Twelf.  As  above,  we  accurately  follow  the  structure  of  the  development  in 
Section  3.2.3.  In  particular  we  begin  with  the  equivalence  proof  of  the  single-step  correspondence 
between  parallel  and  ordinary  reduction. 

Lemma  3.11  (Single-step  correspondence) 

1.  IfV  ::  el  er  then  el  er . 

2.  IfV::el  — ^  er  then  eJ  =U>  er . 

Recall  from  the  informal  proof,  that  the  second  half  of  this  theorem  depends  on  the  reflexivity 
Lemma  3.4  whose  proof  we  have  postponed  so  far.  Twelf  can  prove  the  reflexivity  lemma  on  its 
own,  but  because  of  an  incompleteness  in  the  implementation  it  cannot  prove  the  second  half! 
This  artifact  is  due  to  the  different  treatment  of  induction  hypothesis  and  lemmas.  Induction 
hypothesis  are  applied  by  the  recursion  operation  which  may  extend  the  regular  world  4>.  As 
discussed  in  Section  8.3.2,  lemmas  on  the  other  hand  can  only  be  applied  in  form  of  Skolem 
constants  during  the  filling  operation,  and  filling  cannot  extend  the  world.  This  incompleteness 
will  be  removed  in  the  next  released  version  of  the  Twelf  system. 

Lemma  3.4  (Reflexivity  of  =>  )  Consider  the  situation  where  a  list  of  the  following  as¬ 
sumptions  is  present 

x,\  ::  term  T[, u\  ::  x\  ::  termrn,un  ::  xn  x7l 

Then  for  any  well-typed  term  e,  there  exists  a  derivation  of  e  e. 

The  first  case  of  the  single-step  correspondence  is  proven  by  Twelf  in  0.094  sec. 

°/ptheorem  singlel:  forallG  (some  {T:  tp}  pi  {x:  term  THeqx:  x  =>  x}) 
forall*  {T:  tp}{El:  term  T}{Er:  term  T} 
forall  -CD:  El  =>  Er} 
exists  {R:  El  — >*  Er} 
true . 

°/0prove  3  D  (singlel  D  _)  . 

And  the  second  case,  proven  simultaneously  with  the  reflexivity  lemma  takes  only  0.045  sec. 
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"/.theorem  single2:  forallG  (some  {T:  tp}  pi  {x:  term  T>{eqx:  x  =>  x}) 

■  •  forall*  {T:  tpMEl:  term  T}{Er:  term  T> 

forall  -CD:  El  — >  Er> 
exists  {R:  El  *=>  Er}  true. 

’/.theorem  refl  :  forallG  (some  {T:  tp}  pi  {x:  term  THeq:  x  =>  x}) 
forall*  {T:  tp} 
forall  {E:  term  T} 
exists  {R:  E  =>  E}  true. 

’/.prove  3  (E  D)  (refl  E  _)  (single2  D  _) . 

This  result  guarantees  that  there  is  a  correspondence  between  single  parallel  reduction  steps, 
and  possibly  several  ordinary  reduction  steps.  Clearly  we  can  generalize  it  to  a  correspondence 
result  about  multi-step  reductions. 

Lemma  3.12  (Multi-step  correspondence)  V::el  ^4  er  iff  K  v.  el  =4>  er 

Twelf  proves  the  sufficient  direction  of  this  Lemma  in  0.021  sec,  and  the  necessary  direction  in 
1.228  sec. 

‘/.theorem  multil:  forall*  {T:  tp}{El:  term  T}{Er:  term  T} 
forall  {D:  El  — >*  Er} 
exists  {R:  El  =>*  Er}  true. 

‘/.prove  3  D  (multil  D  _)  . 

’/.theorem  multi2:  forall*  {T:  tp}{El:  term  T}{Er:  term  T} 
forall  {D:  El  =>*  Er} 
exists  {R:  El  — >*  Er}  true. 

’/.prove  4  D  (multi 2  D  _) . 

The  three  remaining  lemmas  analyze  the  correspondence  between  parallel  conversion  and 
ordinary  conversion.  Recall  that  the  concept  of  ordinary  conversion  is  closed  under  symmetry, 
differently  from  parallel  conversion.  But  as  we  have  already  shown  informally  in  Section  3.2.3, 
symmetry  is  an  admissible  rule  of  inference  for  parallel  conversion. 

Lemma  3.13  (Symmetry)  IfV::el  <=>  er  then'R::er  el 

The  proof  goes  by  induction  on  D,  and  it  takes  Twelf  0.006  sec  to  derive  this  result. 

’/.theorem  symm:  forall*  {T :  tp}{El:  term  T}{Er:  term  T} 
forall  -CD :  El  <=>  Er} 
exists  {R:  Er  <=>  El}  true. 

'/.prove  2  D  (symm  D  _)  . 

Since  symmetry  is  admissible,  there  is  a  correspondence  between  ordinary  conversion  and 
parallel  conversion. 

Lemma  3.14  (Conversion  correspondence) 

1.  IfDv.e1  < — >  er  then  el  <==>  er 
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2.  IfV  ::  el  eT  then  el  < — »  er 

Twelf  proves  the  first,  direction  in  0.310  sec,  and  the  second  direction  in  0.021  sec. 

°/0theorem  convl:  forall*  {T:  tp}{El:  term  T}{Er:  term  T} 
forall  {D:  El  <=>  Er} 

exists  {R:  El  <->  Er}  true. 

°/0prove  4  D  (convl  D  _)  . 

°/Ptheorem  conv2:  forall*  {T:  tp}{El:  term  T}{Er:  term  T} 
forall  {D:  El  <->  Er} 

exists  {R:  El  <=>  Er}  true. 

%prove  3  D  (conv2  D  _)  . 

Thus,  as  partial  result  Twelf  has  shown  that  the  Church- Rosser  theorem  for  parallel  reduc¬ 
tion  holds,  and  that  parallel  reduction  models  ordinary  reduction  and  vice  versa.  Thus,  the 
Church-Rosser  theorem  for  ordinary  relation  follows  directly  from  applying  these  two  proper¬ 
ties.  Two  well-typed  terms  that  are  convertible  via  ordinary  reduction,  are  also  convertible  via 
parallel  reduction.  Therefore,  by  the  Church-Rosser  theorem,  there  exists  a  common  reduct, 
and  two  reduction  sequences,  reducing  each  of  the  terms  to  the  same  common  reduct.  Using  the 
previously  proven  correspondence  theorem,  for  each  of  those  two  parallel  reductions  there  are 
corresponding  ordinary  reductions  to  the  same  common  reduct,  and  the  Church-Rosser  theorem 
is  proven. 

Theorem  3.15  (Church-Rosser  for  ordinary  reduction)  If  e!  < — »  er  then  there  exists  a 
common  reduct  ef ,  s.t .  el  e'  and  er  e! . 

In  order  to  construct  this  proof,  Twelf  delegates  the  construction  of  the  argument  to  the  under¬ 
lying  LF  theorem  prover,  that  attempts  to  fill  the  existential  quantifier  by  one  appeal  the  filling 
operation.  Unfortunately,  the  search  space  is  too  big,  because  many  auxiliary  lemmas  have  been 
proven.  In  addition,  because  lemmas  are  applied  during  filling,  the  LF  theorem  prover  has  to 
traverse  a  search  space  of  at  least  depth  6  or  7.  This  search  space  is  huge. 

To  help  Twelf  to  find  this  result  more  quickly,  we  prove  first  an  intermediate  result,  namely 
that  ordinary  conversion  guarantees  the  existence  of  two  parallel  multi-step  reductions  to  the 
common  reduct.  The  LF  theorem  prover  can  prove  this  fact  in  2.657  sec  while  traversing  a 
search  space  up  to  depth  3.  Using  this  intermediate  result,  the  search  space  for  the  actual 
Church-Rosser  theorem  for  ordinary  reduction  has  also  reduced  to  depth  3,  and  Twelf  is  able  to 
find  the  proof  quickly  in  0.822  sec.  Therefore,  sometimes  we  need  additional  lemmas,  if  only  for 
performance  reasons. 

/(theorem  cr-ord3:  forall*  {T:  tp}{El:  term  T}{Er:  term  T} 
forall  {D:  El  <->  Er} 

exists  {E3  :  term  T}{R1:  El  =>*  E3}{Rr:  Er  =>*  E3}  true. 
°/0prove  3  []  (cr-ord3  ____). 

°/0theorem  cr-ord:  forall*  {T:  tp}{El:  term  T}{Er:  term  T} 
forall  {D:  El  <->  Er} 

exists  {E3:  term  T}{R1:  El  — >*  E3}{Rr:  Er  — >*  E3}  true. 
%prove  3  []  (cr-ord  ____). 
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This  result  concludes  the  presentation  of  the  case  study.  In  summary,  Twelf’s  expressive 
power  allows  in  this  experiment  a  almost  direct  formulation  of  lemmas  and  theorems  needed  to 
proof  the  Church-Rosser  theorem.  In  particular,  all  proofs  have  been  generated  automatically, 
from  the  information  presented  in  this  section.  In  the  current  version  of  Twelf,  proof  terms  are 
not  explicitly  generated  and  exported  to  the  user  level  yet,  but  if  they  were,  they  resemble  very 
much  the  proofs  presented  in  Section  3.2.3  and  in  [Pfe93]. 

The  implementation  of  the  Twelf  system  provides  (undocumented)  functionality,  that  allows 
the  user  to  step  through  the  proof,  thus  verifying  that  it  works  properly.  Throughout  the  entire 
development  of  the  Church-Rosser  example  we  deviated  only  in  two  places  from  the  informal 
development.  First,  the  single  correspondence  lemma  and  the  reflexivity  lemma  had  to  be  made 
mutually  dependent  in  order  to  allow  for  regular  extensions  of  the  world  when  applying  a  lemma, 
and  second  the  LF  theorem  prover  is  not  efficient  enough  to  put  all  pieces  together  for  the  proof 
of  the  Church-Rosser  theorem.  The  first  restriction  will  disappear  with  future  releases  of  Twelf, 
and  the  second  requires  additional  research  on  how  to  search  for  objects  in  LF  more  efficiently. 


8.5  Experimental  results 

The  formal  development  of  the  Church-Rosser  theorem  for  the  simply  typed  A-calculus  is  only 
one  of  many  examples,  Twelf  has  been  put  to  work  on.  Other  examples  come  from  the  area  of 
programming  languages  and  logics,  and  in  this  section  we  attempt  to  sketch  other  experiments 
we  have  conducted  in  Twelf  and  that  we  have  summarized  in  Figure  8.11.  All  timings  in  this 
figure  are  taken  on  a  Pentium  11/400  Mhz,  192  MB  RAM. 

The  first  two  entries  in  this  table  describe  experiments  which  involve  cut-elimination.  Twelf 
can  fully  automatically  prove  cut-elimination  for  full  first-order  intuitionistic  logic  in  6  minutes 
and  35  seconds.  The  proof  it  constructs  is  very  similar  to  the  proof  described  in  [Pfe95].  The 
main  difference  is  that  Twelf  has  to  consider  significantly  more  cases,  because  it  can  apply 
splitting  only  in  a  hierarchical  manner. 

The  cut-elimination  result  [Gen35]  is  a  very  important  and  fundamental  result  in  logic  and 
the  area  of  automated  theorem  proving.  By  inspection  of  the  inference  rules  of  a  cut-free 
sequent  calculus  for  either  intuitionistic  or  classical  logic  for  example  follows  that  falsehood 
is  not  derivable  in  this  system,  therefore  warranting  the  soundness  of  the  calculus  and  of  the 
logic.  The  cut-elimination  result  is  very  important  for  the  area  of  automated  deduction  since  it 
guarantees  the  subformula  property  for  the  cut-free  fragment  of  any  sequent  calculus. 

For  intuitionistic  and  classical  logic,  the  cut  rule  is  an  admissible  rule  of  inference  rule.  This 
is  the  basic  insight  for  the  cut-elimination  theorem  and  it  is  not  easy  to  prove.  The  sequent 
calculus  for  intuitionistic  logic,  for  example,  contains  18  inference  rules;  since  the  cut-rule  has 
two  premisses  this  means  that  all  in  all,  324  cases  are  to  be  considered  in  the  worst  case. 

In  [Pfe95]  the  representation  of  the  sequent  calculus  for  classical  logic  is  equally  elegant  to 
the  one  for  intuitionistic  logic.  Nevertheless,  the  strategy  employed  in  Twelf  is  not  sophisticated 
enough  to  prove  cut-elimination  for  this  logic.  Wrong  choices  of  splitting  operations  mislead  the 
prover,  and  a  proof  cannot  be  found  in  tolerable  time. 

Another  experiment  that  we  have  conducted  in  Twelf  is  the  development  of  a  functional 
programming  called  Mini-ML  [PfeOO].  For  a  language  that  contains  a  simple  inductive  datatype 
(the  natural  numbers),  anonymous  functions,  applications,  let  binding  and  fixed  points,  Twelf 
can  prove  automatically  properties  such  as:  the  evaluation  of  an  expression  yields  a  value ,  or 
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Experiment 

Theorem 

Time 

First-order  intuitionistic  logic 

Admissibility  of  cut-rule 

6  min  35  sec 

(Sequent  calculus) 

Cut-elimination 

0.28  sec 

First-order  classical  logic 

Admissibility  of  cut-rule 

not  yet 

(Sequent  calculus) 

Cut-elimination 

0.68  sec 

Mini-ML 

Value  soundness 

0.13  sec 

Type  preservation 

0.42  sec 

Evaluation /Reduction 

0.66  sec 

Uniqueness  of  typing 

0.25  sec 

Compilation 

Soundness 

not,  yet 

Completeness 

1.13  sec 

Proof  equivalence 

0.46  sec 

Logic  programming 

Soundness  (uniform  derivations) 

0.31  sec 

Canonical  forms  (uniform  derivations) 

0.34  sec 

Completeness  (uniform  derivations) 

0.28  sec 

Soundness  (resolution) 

1.05  sec 

Completeness  (resolution) 

0.52  sec 

Intuitionistic  logic 

Deduction  theorem 

0.11  sec 

(Hilbert  calculus) 

Embedding  into  natural  deduction  calculus 

0.33  sec 

Intuitionistic  logic 

Natural  deduction  — »  Sequent  calculus 

0.11  sec 

(implicational  fragment) 

Sequent  calculus  Natural  deduction 

0.12  sec 

Cartesian  closed  categories 

Embedding  into  simply  typed  A-calculus 

3.39  sec 

Distributivity  lemma 

no  yet 

Kolmogorov  embedding 

Classical  logic  — >  Intuitionistic  logic 

9.55  sec 

Intuitionistic  logic  -*  Classical  logic 

not  yet 

Figure  8.11:  Experimental  results  (in  CPU  seconds) 


types  are  preserved  during  evaluation ,  or  the  natural  meaning  of  an  expression  coincides  with 
the  one  ascribed  by  a  reduction  semantics ,  or  typing  is  unique . 

Each  of  these  properties  can  be  verified  in  less  than  a  second,  which  makes  Twelf  an  efficient 
rapid  prototyping  tool. 

Mini-ML’s  natural  semantics  is  defined  by  relating  the  expression  to  be  evaluated  and  the 
result  of  the  evaluation.  But  there  are  other  semantics;  we  have  considered  for  example  another 
semantics  that  is  defined  in  terms  of  execution  traces  of  a  compiled  expression  on  an  abstract 
CPM  machine  [FSDF93].  As  a  matter  of  fact,  we  have  used  Twelf  to  verify  one  direction  of  the 
equivalence  proofs  between  the  natural  and  the  trace-based  semantics.  The  soundness  direction 
of  the  proof  states,  that  once  the  abstract  machine  has  computed  a  result,  it  coincides  with  the 
natural  semantics.  The  proof  of  the  soundness  property  requires  complete  induction,  a  technique 
that  Twelf  does  not  support  in  the  current  version.  The  completeness  direction  on  the  other  hand 
states  that  each  value  computed  by  the  abstract  machine  (upon  input  of  a  compiled  expression) 
corresponds  to  the  natural  meaning  of  the  expression.  This  property  is  very  tedious  to  derive 
by  hand,  and  Twelf  does  it  in  1.13  sec. 

In  the  same  experiment  we  have  used  to  Twelf  to  show  that  every  soundness  proof  for 
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concrete  expressions  can  be  transformed  into  a  completeness  proof  and  vice  versa.  This  is  a 
meta-meta  result  about  a  relational  encoding  of  the  soundness  and  the  completeness  proofs  as 
relations  in  LF. 

The  third  experiment  lies  in  the  area  of  logic  programming  in  the  fragment  of  hereditary 
Harrop  formulas.  We  have  used  Twelf  to  show  that  the  search  for  uniform  derivations  and 
%  resolution  are  equivalent. 

And  finally,  there  are  several  small  experiments.  We  could  for  example  show  that  the  Hilbert 
calculus  for  intuitionistic  logic  can  be  embedded  into  the  natural  deduction  calculus,  and  so  can 
i  the  sequent  calculus.  The  reverse  also  holds,  at  least  for  embedding  the  natural  deduction 

calculus  into  the  sequent  calculus.  Twelf’s  underlying  LF  theorem  prover  is  not  efficient  enough 
to  prove  that  any  natural  deduction  derivation  can  be  embedded  into  the  Hilbert  calculus. 

We  have  used  Twelf  to  show  that  Cartesian  Closed  Categories  can  be  embedded  into  the 
simply-typed  A-calculus;  objects  are  interpreted  as  terms,  and  morphisms  as  functions.  The 
distributivity  law  of  (a  pair  of  two  morphisms  composed  with  another  morphism)  could  not 
be  proven  in  Twelf,  because  the  underlying  LF  theorem  prover  is  not  efficient  enough,  but 
preliminary  experiments  with  other  theorem  provers  such  as  SPASS  [Wei97]  have  shown  that 
this  is  really  a  hard  problem. 

The  LF  theorem  prover  is  also  the  problem  in  the  proof  of  the  Kolmogorov  embedding.  Twelf 
easily  proves  that  classical  logic  can  be  embedded  into  intuitionistic  logic  via  the  double  negation 
transformation,  but  for  many  cases  of  the  reverse  direction,  the  search  space  is  intractable,  and 
Twelf  is  unable  to  find  the  proof. 

8.6  Summary 

The  Twelf  system  is  a  meta-logical  framework  that  is  designed  to  represent  deductive  systems, 
and  to  automate  reasoning  about  them.  Its  design  is  two  layered.  The  logical  framework  LF 
serves  as  representation  language  for  deductive  systems,  and  the  meta-logic  Mff  serves  as  a 
specification  language  about  their  properties. 

In  this  chapter  we  have  presented  the  Twelf  system  with  special  emphasis  on  its  meta-theorem 
prover  component.  The  meta-theorem  prover  uses  a  sophisticated  proof  search  algorithm  to 
construct  proof  terms  in  .  One  novel  concept  that  distinguishes  Twelf’s  meta-theorem  prover 
from  others  is  the  ability  to  reason  by  induction  over  higher-order  encodings  using  the  regular 
world  assumption.  In  Twelf  inductive  definitions  are  open-ended,  they  can  be  dynamically 
extended,  as  long  as  they  follow  certain  a  priori  specified  formation  rules,  which  we  have  dubbed 
context  schemas.  Most  other  inductive  theorem  provers  however  are  based  on  the  closed  world 
assumption  and  employ  standard  induction  principles  for  reasoning  by  induction,  which  disallow 
•  higher-order  encodings  in  general  since  they  typically  violate  the  positivity  condition  associated 

with  standard  inductive  definitions. 

Because  of  higher-order  representation  techniques,  proofs  about  formal  systems  enjoy  brief 
-  and  concise  formalizations  in  .M.j  .  and  Twelf’s  special  purpose  meta-theorem  prover  takes  full 

advantage  of  their  form  during  search.  As  case  study,  we  have  demonstrated  in  this  chapter  how 
to  use  Twelf  to  prove  all  lemmas  in  connection  to  the  Church- Rosser  theorem  from  Chapter  2  and 
Chapter  3.  In  the  special  domain  of  higher-order  encodings,  Twelf  is  an  ideal  rapid  prototyping 
tool  for  the  design  of  deductive  systems  and  the  study  of  their  properties. 
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The  development  of  formal  systems,  such  as  logics,  programming  languages  and  type  systems  is 
a  task  so  complex  that  it  benefits  greatly  from  tools  that  support  their  design,  experimentation, 
and  their  verification.  To  be  usable,  these  tools  must  allow  a  formal  encoding  of  the  system 
that  is  as  close  as  possible  to  its  natural  form  —  only  then  users  are  likely  to  overcome  their 
reservations  towards  formalization.  In  addition,  the  language  provided  by  the  tool  to  express 
logics,  programming  languages,  and  type  systems  must  be  as  simple  and  intuitive  as  possible; 
otherwise  the  tool  remains  accessible  to  specialists  only. 

The  logical  framework  LF  is  an  elegant  meta-language  for  the  representation  of  formal  sys¬ 
tems.  It  supports  higher-order  representation  techniques,  which  allow  for  elegant  and  natural 
encodings  of  inference  rules  including  side  conditions,  such  as  for  example,  freshness  conditions 
for  variables  and  parameters.  A  user  who  uses  a  tool  based  on  LF  can  employ  the  context  of 
the  logical  framework  to  encode  contexts  of  some  object  languages  given  that  they  share  the 
same  properties.  By  its  very  definition  LF  contexts  are  subject  to  weakening,  contraction,  and 
exchange  —  the  same  properties  assumptions  lists  of  many  logic  calculi  and  typing  contexts  of 
many  programming  languages  enjoy. 

Thus,  LF  is  a  powerful  framework  to  represent  formal  systems  such  as  logics  and  program¬ 
ming  languages  adequately.  On  the  other  hand,  LF  is  a  type  theory,  and  not  a  logic  per  se. 
It  is  not  designed  as  a  meta-language  to  represent  proofs  of  correctness,  safety,  soundness,  or 
completeness  conditions,  or  any  other  properties  a  formal  system  may  satisfy.  Many  of  those 
proofs  are  inductive;  for  example,  the  proof  of  the  diamond  lemma  requires  induction  over  the 
reduction  derivations  and  the  type  preservation  proof  of  a  functional  programming  languages 
proceeds  by  induction  on  the  evaluation  derivation. 

The  problem  is  that  for  higher-order  encodings  of  formal  systems  in  a  logical  framework 
typically  standard  induction  principles  do  not  exist.  The  closed  world  assumption  that  underlies 
standard  induction  principles  stipulates  a  positivity  condition  on  inductive  definitions  —  the 
type  defined  must  only  occur  in  positive  positions  of  its  constructor  types  —  and  in  general, 
higher-order  encodings  violate  exactly  this  condition.  In  fact,  the  closed  world  assumption  is  too 
restrictive  for  inductive  definition  of  higher-encodings  because  inductive  arguments  are  allowed 
to  traverse  A-binders  and  thus,  inductive  definitions  are  open-ended. 

In  this  sense,  higher-order  representation  techniques  and  inductive  reasoning  are  incompat¬ 
ible.  Proof  assistant  systems  such  as  Isabelle,  Coq,  and  PVS,  are  based  on  the  closed  world 
assumption  and  therefore  they  allow  only  higher-order  encodings,  that  are  compatible  with 
the  the  positivity  condition.  However,  most  of  the  interesting  higher-order  encodings  we  are 
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concerned  with,  do  not  satisfy  the  positivity  condition. 

In  this  thesis  on  the  other  hand  we  present  an  alternative  solution:  Instead  of  massaging 
our  representations  in  such  a  way  that  they  satisfy  the  positivity  condition,  we  allow  them  to 
be  higher-order  in  the  most  general  sense.  One  of  the  contributions  of  this  thesis  is,  that  even 
though  they  are  not  inductive  in  the  standard  sense  under  the  closed  world  assumption,  they 
can  be  seen  as  inductive  definitions  under  the  regular  world  assumption.  Under  the  regular 
world  assumption,  inductive  definitions  are  open  ended,  they  are  permitted  to  be  extended  in  a 
regular  way  when  traversing  A-binders. 

In  our  design,  regularly  formed  world  extensions  possess  the  same  properties  as  LF  contexts, 
in  particular,  contraction,  weakening,  and  exchange.  Since  it  is  not  at  all  clear  which  form  an 
induction  principle  under  the  regular  world  assumption  should  have,  this  thesis  proposes  an 
alternative.  We  have  designed  the  meta-logic  of  recursive  functions  that  are  defined  by 
cases,  and  which  range  over  LF  objects.  In  this  meta-logic,  inductive  proofs  over  higher-order 
encodings  are  realized  by  a  total  functions. 

The  main  characteristics  of  our  design  is  that  the  meta-logic  and  the  logical  framework 
LF  are  conceptually  defined  on  two  different  levels.  The  meta-logic  provides  a  notion  of  a 
recursive  function  to  formalize  inductive  arguments,  whereas  LF  provides  a  notion  of  parametric 
functions,  that  is  used  exclusively  for  the  purpose  of  representation.  We  have  shown  that  the 
design  of  is  sound.  Thus,  is  a  meta-logical  framework  based  on  realizability. 

In  this  thesis  we  have  also  developed  automated  deduction  procedures;  one  that  conducts 
proof  search  for  LF  objects  of  a  given  LF  type.  The  other  searches  for  recursive  functions,  which 
formalize  proofs,  in  the  meta-logic  Both  procedures  are  implemented  in  the  Twelf  system 

which  is  publicly  available  from  the  Twelf  homepage  at  http://www.twelf.org.  One  is  called 
LF  theorem  prover,  and  the  other  meta-theorem  prover.  The  meta-theorem  prover  uses  the  LF 
theorem  during  proof  search. 

Because  of  the  immediacy  and  the  elegance  of  higher-order  encodings  of  formal  systems  and 
because  of  the  direct  formalization  of  meta-theoretic  arguments,  Twelf ’s  meta- theorem  prover 
outperforms  any  other  theorem  prover  in  this  special  domain.  Twelf  has  been  successfully 
employed  to  derive  various  properties  of  logics  and  type  systems,  such  as  the  consistency  of  logics, 
the  admissibility  of  new  inference  rules,  and  equivalence  of  different  logic  calculi.  Other  results 
include  automatic  proofs  of  the  Church-Rosser  theorem,  cut-elimination,  and  type  preservation 
and  progress  of  various  operational  semantics. 


9.1  Future  Work 

The  future  research  that  will  follow  this  thesis  is  manifold.  The  overall  goal  of  this  research  is  to 
devise  tools  that  support  the  design,  the  experimentation  and  the  verification  of  formal  systems, 
such  as  logics,  programming  languages,  type  systems;  but  the  research  program  does  not  stop 
there.  Instead,  as  a  next  step,  we  would  like  to  scale  this  research  to  engineer  real  usable  tools  for 
security  and  network  protocols  designer,  for  authentication  protocol  designers,  for  programming 
language  designers,  for  system  engineers,  and  possibly  even  for  software  engineers.  We  foresee 
several  possible  developments  along  these  lines  as  described  in  this  section. 

First  we  give  an  overview  over  possible  application  domains  for  this  research  in  Section  9.1.1. 
But  how  good  are  higher-order  encodings  for  these  applications?  Are  the  standard  properties 
associated  with  LF  contexts  enough  to  guarantee  adequate  and  elegant  encodings  of  the  formal 
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systems  in  question?  It  is  very  likely,  that  different  applications  pose  different  requirements 
on  the  underlying  logical  framework  which  we  discuss  in  Section  9.1.2.  Another  line  of  future 
research  emerges  from  the  question  of  how  to  extend  the  meta-logic  to  facilitate  the  for¬ 
mulation  and  automatic  reasoning  about  other  applications.  We  discuss  possible  extensions  of 
the  meta-logic  in  Section  9.1.3.  In  order  for  Twelf  to  be  a  design  and  experimentation  tool,  the 
prototype  implementation  of  the  meta-theorem  prover  must  mature.  Possible  improvements  to 
the  implementation  are  described  in  Section  9.1.4.  Another  direction  of  future  work  results  from 
interpreting  the  recursive  functions  of  as  programs  of  a  real  programming  language  which 
is  to  be  developed.  An  account  of  possible  research  directions  is  given  in  Section  9.1.5. 

9.1.1  Applications  of 

Twelf  owes  its  tremendous  performance  in  all  our  experiments  partly  to  design  of  the  meta-logic 
M%,  partly  to  the  representational  power  of  the  logical  framework  LF,  but  also  partly  to  the 
cleanliness  of  the  formal  systems  in  question.  However,  when  designing  real  world  programming 
languages  and  safe  real  world  systems,  there  might  not  be  an  elegant  and  direct  encoding  in  the 
logical  framework.  Twelf,  for  example,  can  show  type  preservation  of  the  execution  of  purely 
functional  programs,  but  it  is  still  an  open  question,  if  and  how  references  and  exceptions  can 
be  added  to  the  encoding  in  a  direct  way.  Therefore  in  future  work  we  have  to  understand  what 
requirements  real  world  systems  pose  on  meta-languages  such  as  LF  and  we  propose  to  achieve 
this  is  by  conducting  case  studies  in  the  area  of  programming  language  design,  protocol  design, 
and  software  engineering. 

Safe  programming  languages.  In  recent  years,  several  techniques  have  been  developed  to 
increase  the  users  confidence  in  the  safety  of  executable  code.  The  idea  of  proof  carrying  code 
for  example  [Nec98]  suggests  to  modify  compilers  to  emit  not  only  compiled  code  but  also 
corresponding  safety  proofs  that  a  code  consumer  can  use  to  check  a  priori  safety  properties. 
Typed  assembly  language  is  a  special  instance  of  this  design.  Safety  proofs  are  encoded  by 
type  information  in  TAL  [MWCG99]  following  the  idea  that  well-typed  programs  are  safe  to  be 
executed.  Similarly,  more  mainstream,  Java  bytecode  [LY96]  is  subject  to  verification  by  a  byte 
code  verifier  that  implements  a  particular  safety  policy. 

All  three  ideas  are  based  on  the  common  idea  that  code  should  not  be  executed  without 
checking  that  it  is  safe  to  do  so.  In  each  system,  safety  checking  reduces  to  proof  checking, 
type  checking,  or  bytecode  checking,  respectively.  But  note,  that  all  three  designs  are  extremely 
vulnerable  to  design  mistakes  —  a  logic  in  which  safety  proofs  are  expressed  must  be  consistent  (if 
falsehood  is  derivable,  than  any  property  is  derivable),  a  type  system  for  assembly  language  must 
be  sound,  and  so  must  be  the  notion  of  safety  attributed  to  Java  bytecode.  One  possible  research 
direction  is  to  make  Twelf  a  useful  development  and  verification  tool.  Future  experiments  in 
this  area  will  shed  some  light  on  the  limitations  and  possible  extensions  of  the  Twelf  system. 

Protocol  design.  The  common  practice  in  the  design  of  network  and  authentication  protocols 
is  not  to  use  any  formal  tools.  Important  properties  are  verified  only  after  a  design  is  completed 
and  implemented.  Protocols  can  be  modeled  in  proof  assistants  such  as  PVS  [ORS92],  model 
checkers,  such  as  SMV  [CGL94]  and  they  are  examined  for  different  properties,  such  as  liveness, 
and  in  the  case  of  authentication  protocols  for  freeness  of  attacks  [MCJ97]. 
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Twelf  has  not  been  applied  to  protocol  design  yet,  but  it  would  be  a  very  instructive  experi¬ 
ence  to  do  so.  We  suspect  that  by  using  Twelf  as  a  development  tool,  the  design  of  protocols  can 
be  made  more  secure  since  a  priori  specified  safety  and  security  properties  can  be  verified  and 
checked  throughout  the  design  process.  Therefore,  design  mistakes  can  be  caught  early.  After  a 
successful  design,  we  foresee  Twelf  to  output  the  verified  code  (in  a  compilable  language)  that 
implements  protocol  stacks,  or  client/server  architectures  for  authentication  systems. 

As  for  the  formal  development  of  security  protocols,  experiments  in  this  domain  may  reveal 
shortcomings  in  the  design  of  Twelf  that  can  give  indications  for  future  research. 

Software  engineering.  The  functionality  of  a  software  module  is  typically  defined  through 
an  interface  that  contains  formal  descriptions  of  the  computational  behavior  of  functions  and 
procedures  provided  by  the  module.  The  languages  used  to  describe  this  kind  of  functionality 
are  typically  logics  or  type  theories;  the  challenge  is  to  design  them  in  such  a  way  that  they  can 
capture  invariants,  while  preserving  soundness.  Twelf  is  a  tool  that  can  help  developing  these 
kind  of  languages. 

9.1.2  Adaptation  of 

It  is  likely  that  the  experiments  with  real-world  systems  suggest  possible  extensions  of  Twelf 
such  as  extensions  to  the  underlying  logical  framework  LF  and  also  extensions  to  the  meta-logic 
As  presented  in  Section  2.3,  LF  is  a  logical  framework,  which  satisfies  the  requirements  for 
adequate  representations  of  a  formal  systems  such  as  logics  and  programming  languages.  But 
there  are  many  important  extensions  of  LF,  some  of  them  characterized  in  Barendregt’s  A-cube, 
and  other  substructural  logical  frameworks  that  may  be  of  practical  interest. 

Polymorphic  logical  framework.  Even  though  not  discussed  in  this  thesis,  one  can  imagine 
an  extension  of  this  work  to  other  logical  frameworks.  For  example,  adding  polymorphism  to 
LF  while  preserving  canonical  forms  may  be  possible  but  it  is  certainly  challenging,  and  it  is 
even  more  challenging  to  extend  the  meta-logic  discussed  in  Chapter  5  accordingly.  We 
leave  this  research  to  future  work  together  with  an  extension  of  Twelf  by  type  constructors. 

Linear  logical  framework.  The  linear  logical  framework  (LLF)  is  a  substructural  logical 
framework.  It  is  a  conservative  extension  of  LF  and  goes  back  to  work  by  Cervesato  and  Pfenning 
[CP97a].  LLF  extends  LF  by  a  resource-oriented  assumption  concept,  inspired  by  linear  logic 
[Gir87].  Linear  assumptions  are  organized  in  linear  contexts  which  obey  only  one  of  the  standard 
structural  rules:  exchange.  Weakening  and  contraction  cannot  apply  to  linear  contexts.  This 
gives  linear  assumptions  the  flavor  of  resources:  Assumptions  can  neither  disappear  nor  be 
duplicated.  The  advantage  of  a  linear  logical  framework  is,  that  it  allows  a  concise  modeling  of 
resource  oriented  problems  such  as  for  example,  the  theory  of  functional  programming  languages 
with  references.  Binding  of  a  value  to  a  reference  cell  is  represented  as  a  resource,  and  because 
of  properties  of  the  linear  logical  framework  update  of  reference  cells  can  be  modeled  directly 
[CP96]. 

Ordered  logical  framework.  The  ordered  logical  framework  derives  from  the  linear  logical 
framework  by  dropping  the  last  remaining  structural  rule:  exchange.  First  case  studies  by  Pfen¬ 
ning  and  Polakow  [PP99]  have  shown  that  ordered  linear  logic  is  beneficial  for  the  representation 
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of  aggregate  constructs  such  as  stacks.  This  framework  inherits  all  properties  form  the  logical 
framework,  and  in  addition,  assumptions  can  only  be  consumed  in  same  order  they  have  been 
assumed.  Again,  in  the  area  of  functional  programming  languages,  there  are  several  examples 
of  languages  which  can  be  very  elegantly  represented  in  an  ordered  linear  framework  [DP95]. 

9.1.3  Extensions  of 

Quantifier  Alternations.  In  the  current  development,  Twelf  accepts  only  ^-formulas,  i.e. 
formulas  that  start  with  a  block  of  universal  followed  by  a  block  of  existential  quantifiers.  How¬ 
ever,  many  examples  lie  outside  this  fragment.  We  leave  an  investigation  of  this  issue  to  future 
research. 

Adding  new  logical  connectives.  From  a  logical  point  of  view,  M\  is  relatively  impov¬ 
erished.  Not  only  that  it  defines  only  few  connectives,  but  it  neither  provides  nor  allows  the 
user  to  define  new  predicates.  In  particular,  is  missing  other  logical  connectives,  such  as  for 
example  disjunction,  implication,  and  negation;  it  is  also  missing  mechanisms  to  express  equality 
of  derivations  and  subterm  relations.  In  many  cases,  if  needed  connectives  and  predicates  can 
be  encoded  in  LF;  but  in  future  versions,  it  might  be  sensible  to  extend  the  meta-logic  directly. 

Equality  is  a  good  candidate  for  a  built-in  predicate  into  •  It  allows  the  formulation  of 
theorems  that  express  the  unique  existence  of  a  derivation.  The  drawback  of  adding  equality 
to  the  meta-logic  is,  that  the  theorem  proving  aspects  will  get  harder.  Unification  problems 
must  now  be  considered  modulo  equational  theories  [Sny91].  A  different  research  direction  is  to 
investigate  how  can  be  extended  by  new  unique  existential  quantifier  31. 

Context  schema  subsumption.  In  Section  6.3  we  have  introduced  a  very  simple  and  direct 
definition  of  context  schema  subsumption.  For  larger  developments  it  may  be  important  to  relax 
the  subsumption  condition,  for  example,  by  extending  context  blocks  by  unrelated  parameter 
declarations.  How  exactly  a  refined  subsumption  criterion  could  look  is  an  important  design 
question;  in  addition,  it  interacts  with  other  design  choices  such  as  the  design  of  the  modules 
system  or  the  scope  of  regular  context  extensions.  These  are  important  questions  and  should  be 
addressed  in  future  research. 

9.1.4  Implementation  of 

Despite  its  already  impressive  deductive  power,  the  implementation  of  the  meta-theorem  prover 
in  the  Twelf  system  is  currently  only  a  prototype.  No  sophisticated  optimizations  have  been 
applied  so  far,  and  the  implementation  is  incomplete  with  respect  to  the  theory  which  has 
been  described  in  this  thesis.  For  example,  many  of  the  techniques  developed  for  traditional 
inductive  theorem  provers  seem  applicable  in  our  setting,  but  none  has  actually  been  adjusted 
or  implemented. 

Termination  orderings.  The  prototype  implementation  of  the  meta-theorem  prover  is  re¬ 
stricted  to  proofs  by  structural  induction.  The  various  termination  orders  defining  the  proofs  of 
the  lemma  in  this  thesis,  for  example,  syntactically  restrict  the  form  of  the  induction  hypotheses. 
In  particular,  termination  orders  are  lexicographical  and  simultaneous  extensions  of  the  subterm 
ordering  which  are  expressive  enough  for  many  proofs,  but  not  necessarily  all.  The  soundness 
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proof  of  compiling  Mini-ML  to  the  CPM  machine,  for  example,  requires  as  proof  principle  proof 
by  complete  induction.  In  future  research  we  enrich  the  notion  of  termination  order  by  derived 
reduction  information  as  already  implemented  in  the  termination  checker  for  Twelf  [PP00]. 

Integration.  Currently,  a  successful  application  of  Twelf’s  meta-theorem  prover  depends  cru¬ 
cially  on  the  appropriate  choice  of  the  various  bounds  for  filling,  splitting,  and  recursion,  and 
the  heuristic  that  selects  the  first  universally  quantified  variable  to  split  on.  During  runtime, 
a  splitting  operation  is  executed  upon  the  failure  of  the  preceding  filling  operation.  Therefore, 
filling  slows  the  meta-theorem  prover  down.  One  possibility  to  improve  the  theorem  provers 
performance  is  to  consider  filling  and  splitting  operations  simultaneously.  It  is  left  to  future 
research  to  integrate  the  different  operations  of  the  meta-theorem  prover. 

Proof  Planning.  Proof  planning  was  introduced  by  Alan  Bundy  et  al.  [BvHHS91]  for  in¬ 
ductive  theorem  proving  by  a  special  search  heuristic  called  rippling.  This  heuristic  works 
particularly  well  for  equational  arguments  used  in  proofs  by  mathematical  induction.  The  ques¬ 
tion  of  how  rippling  scales  to  the  setting  of  non-standard  induction  techniques  opens  a  new  area 
of  research. 

Failure  treatment.  A  very  important  area  of  research  is  the  treatment  of  proof  failure.  The 
theorem  prover  must  supply  the  user  with  appropriate  messages  pointing  to  the  problem  of 
design  mistakes  in  the  case  of  failure.  In  the  current  prototype  implementation,  the  prover 
is  too  eager  to  continue;  it  will  continue  to  apply  splitting  operations  that  do  not  advance  the 
search  for  a  proof.  How  can  the  prover  distinguish  between  promising  an  non-promising  splitting- 
operation?  How  can  it  return  information  to  the  user  such  as,  for  example,  that  a  particular 
inference  rule  renders  a  logic  design  unsound,  or  that  a  proof  does  not  go  through  because  the 
world  extension  was  assumed  to  be  closed?  If  meaning  could  be  assigned  to  failure,  intelligent 
error  messages  could  be  generated  and  system  design  cycles  would  shrink  tremendously. 

Optimizations.  Among  the  many  restrictions  and  prototype  features  of  the  Twelf  system, 
there  is  one  that  is  particularly  important;  many  decisions  about  which  operations  to  apply  next 
depend  on  the  filling  operations.  Most  of  the  time  spend  by  the  theorem  prover  in  Figure  8.11, 
for  example,  is  due  to  filling. 

Currently  not  employing  any  kind  of  advanced  implementation  techniques,  the  LF  theorem 
prover  uses  straightforward,  depth  first,  iterative  deepening  search  that  is  limited  only  by  a  filling 
bound.  We  believe  that  the  efficiency  of  the  theorem  prover  could  be  tremendously  improved 
by  other  techniques  such  as  the  inverse  method  [DMTV99],  the  tableaux  method  [Hah99],  in 
connection  with  special  indexing  techniques  [RSV99]. 

Proof  translation.  Trusting  a  proof  means  to  verify  it.  One  of  the  shortcomings  of  the 
current  prototype  implementation  of  Twelf  is  that  it  does  not  provide  an  independent  meta-proof 
checker.  Even  though  we  hope  that  it  is  small,  and  verifiable  correct,  its  design  is  significantly 
more  complicated  than  that  of  the  standard  LF  type  checker  because  it  relies  on  a  correct 
implementation  of  pattern  unification  for  coverage  analysis.  As  alternative,  in  another  line  of 
research  we  want  to  investigate  how  to  convert  higher-order  encodings  and  their  meta-theory 
into  the  language  of  standard  inductive  definitions,  interpretable  and  verifiable  by  trusted  and 
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well-understood  theorem  provers,  such  as  Coq  [DFH+93],  Lego  [LP92],  Gandalf[Tam97],  Spass 
[Wei97],  TPS  [AINP90]  and  others. 

Tactics.  Independent  experiments  with  the  meta-theorem  prover  have  shown  that  its  current 
strategy  is  not  powerful  enough  to  reach  satisfactory  results  in  certain  application  areas.  The 
main  drawback  of  the  implementation  is  that  it  has  a  fixed  heuristic  which  selects  the  assumption 
the  system  will  splits  next.  In  addition,  the  meta-theorem  prover  does  not  implement  back 
tracking.  On  the  contrary,  whenever  an  operation  is  applied,  Twelf  commits  to  it  once  and  for 
all. 

Twelf’s  built  in  heuristic  is  unsatisfactory  because  it  is  programmed  in  such  a  way  that  it 
never  splits  assumptions  that  occur  in  the  type  of  another.  These  assumptions  are  called  index 
assumptions .  In  most  of  our  experiments,  this  design  decision  drastically  cuts  down  the  size  of 
the  search  space,  but  unfortunately,  in  other  situations  a  successful  proof  relies  on  the  ability  to 
split  index  assumptions. 

Therefore,  another  very  challenging  research  direction  is  the  design  of  good  heuristics,  better 
search  strategies,  and  user-defined  tactics  to  guide  proof  search  and  the  selection  of  assumption 
to  be  split. 

9.1.5  Functional  Programming  in  M.% 

The  proof  term  calculus  of  bears  the  basic  elements  of  a  programming  language,  such  as 
a  notion  of  a  recursive  function,  application,  and  definition  by  cases.  Datatypes  are  expressed 
in  the  logical  framework  LF  in  form  of  LF  signatures.  By  omitting  side  condition  (5.1)  that 
ensures  termination,  and  side  condition  (5.2)  that  ensures  coverage,  we  obtain  a  simple  func¬ 
tional  programming  language  whose  functions  range  over  LF-objects.  In  future  research  we  will 
investigate  how  to  turn  into  a  programming  language  by  adding  references,  exceptions  and 
a  module  system.  This  research  extends  into  the  areas  of  compiler  and  garbage  collector  design. 


9.2  Summary 

The  contributions  of  this  thesis  are  manifold.  We  have  presented  a  meta-logic  M.\  whose 
quantifiers  range  over  LF  objects.  The  meta-logic  is  designed  to  formalize  inductive  arguments 
about  higher-order  encodings  of  formal  systems  in  LF.  Therefore,  one  of  the  main  contributions 
of  this  thesis  is  a  solution  to  the  problem  of  how  to  bring  together  inductive  reasoning  and 
higher-order  representation  techniques. 

In  several  experiments  we  have  shown  that  M.\  is  expressive  enough  to  formalize  proofs 
of  many  important  properties  about  logics,  programming  languages,  and  type  systems.  Those 
formalizations  are  so  elegant,  that  they  can  be  automatically  constructed  by  the  meta-theorem 
prover  that  is  implemented,  as  a  prototype,  in  the  Twelf  system. 

Twelf  has  been  used  to  develop  and  prove  several  fundamental  results  of  computer  science 
and  logic  with  a  high  degree  of  automation.  Among  the  examples,  are  the  Church-Rosser 
property  of  the  simply  typed  A-calculus,  which  we  have  discussed  in  this  thesis  in  depth,  and 
the  cut-elimination  theorem  for  intuitionistic  first-order  logic. 
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Inference  rules 
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4’;  A;  E  hE;.s  fi,  (4/ 1 >  ij>  ^  P)  £  F 

4/'  is  minimal 


(5.1) 


(5.2) 


(5.3) 
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A. 2  Operational  Big-Step  Semantics 


Judgments 


Evaluation  $  I -PsF 
Assumption  $  I-  D  <-4  77;  6 
Selection  $  h  (ip-,  8)  ~  <-4  V 


Rules 


- ev.Lam  :  ; — 

$\- Ax  :  A.P  Ax  :  A.P  $  h  XpL .  P  <^>  XpL .  P 


evJam 


$  h  Pi  <-4  Vi  $hP2HV2 

- evJnx  - ev_pair  - ev_unit 

$  b  <M,P)  -4  (M,V)  $  b  (PUP2)  -4  (VUV2)  $  b  ()  <-4  <) 


$hD  ^4^(5  b  P[id$,  £]  c— ^  V 

$  b  let  D  in  P  ^  V 


evJet 


$  b  P[//x  G  P.  P/x]  ^  V 

- ev_rec  - ev_case 

<3>  b  //x  G  P.  P  V  $  b  case  (^;  S)  of  <-4  F 


$  b  •  -4 


ev_empty 


$  b  P^(M,V)  $  b  P[id*,  M/rr;  V/y]  -4 

$b  (®:  A,y  GP)  =  P,D^Af/®,^,;V/y,^ 


ev_split 


$  P  P  -4  Ax  :  A.  P'  <F  h  P'[ id*,  Af/a:]  <-4  V  $  h  D[V/y]  -4  6' 


$  h  y  €  F  =  P  M,D  V/y, 


ev_App 


#  H  P  -4  Ap'4 P'  $  h  P'[id*, p/p]  ‘-4  V  $  b  £>[V/y]  -4  V’'; <$' 


$hy€P  =  Pp,P4^;L/y,y 


ev_app 


$,/hP4/;(5' 

$Fi//.P4  (ApL.(U';5')) 


$  b  P  -4  (Vi,  V2)  $  b  D[V i/x]  -4  6' 

$  I-  x  €  Pi  =  7Ti  P,  Z?  <-4  ip';  Vi/x, 


■  ev_fst 
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<f>  h  P<->  (VUV2)  $  h  D[V2/x]  «->  </>';  <$' 

- ev_snd 

$  h  x  6  F2  =  7T2  P,  D  ch >  V2/X,  <5' 


$  h  P[V/';  J]  ^  V 

- ev.yes 

if  there  exists  a  t{)"  s.t.  (ip1;  kIa)  o  (t//';  <£)  =  (?/;;  <S) 


$  h  (V>;  <5)  ~  iW  P 

-  ev_no 

$  h  (V»;  S)  ~  (fi,  ($  t>ip'  1-^  P))  «->  V 


A. 3  Operational  Small-Step  Semantics 


Judgment 


One-step  reduction  $  h  Si  =>  52 
Multi-step  reduction  $  h  5i  ==r>  52 
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Rules 

trlet  ::  C  >  let  P  in  P  =£•  (7,  let  •  in  P  >  P 

trletC  ::  <3>;  C,  let  •  in  P>  {ip;  6)  =>■  4>;  C  >  P[id$,  ip;  £] 

trpair  ::  <7  >  (Pi,  P2)  =>  $;  C,  {•,  P2)  >  Pi 

trpairC  ::  $;<7,  (.,P2)  >  V  =>  $;C>{V,P2) 

trmix  C>  (Ui,P2)  =>  #;  (7,  (Vi,  •)  >  P2 

trrnixC  ::$;<7,(U i,*)>U  =*►  $;<7>(Vi,U) 

trfst  ::  C  >  x  6  P  =  7Ti  P,  D  =>  $;  (7,  x  G  P  =  ir\  •,  P  >  P 

trfstC  ::$;C,xGP  =  7r1.,P>(Vi,U2)  =►  $;  <7,  (•;  Vi/x,  •)  >  P[Vi/x] 

trsnd  (7  >  x  G  P  =  7r2  P,  P  ==>  $;  C,  x  G  P  =  7r2  •,  P  >  P 

trsndC  ::  $;  <7,x  G  P  =  7r2  *,P  >  (Vi,  U2>  =»  $;  <7,  (•;  V2/x, .)  >  P[U2/x] 

trinx  ::  <3>;  C  >  (M,  P)  =>■  (7,  (M,  •}  >  P 

trinxC  ::  $;  (7,  (M,  •)  >  U  =►  $;  (7  >  (M,  V) 

trsplit  ::  C  >  (x  :  A,  y  G  P)  =  P,  P  ==>  C,  (a:  :  A,  y  G  P)  =  •,  P  >  P 

trsplitC  ::$;C,(a?:A,yGP)  =  «,P>(M,V)  =>  $;  (7,  (M/a;,  •;  V/y,  •)  >  P[id*,  M/x;  V/y] 

trsubst  ::  $;  C,  (M/x,  •;  V/y,  •)  >  (ip;  6)  =$>  $;<7 1>  (M/x,ip;V/y,5) 

trrec  ::  <L;  C  t>  /xx  G  P.  P  ==>  C  >  P[yux  G  P.  P/x] 

trempty  ::<!>;  C  t>  ■  =>■  <I>;(7>-;- 

trApp  ::$;(7>xGP  =  PM,P  =>  <I>;  (7,  x  G  P  =  •  M,  P  >  P 
trAppC  ::  (7,  x  G  P  =  •  M,  P  t>  Ax  :  A.  P  <L;  <7,  x  G  P  =  •,  P  t>  P[id$,  M/x] 

trapp  ::  <3>;(7>x  G  P  =  P  p,D  ==>  $;C,xGP  =  •  p, P  >  P 
trappC  ::  $;(7,x  G  P  =  •  p',Pi>  ApL.P  =4>  (7,  x  G  P  =  •,  P  >  P[id$, p'/p] 

trassign  ::  d>;  (7,  x  G  P  =  •,  P  >  V  =»  (7,  (•;  V/x,  •)  >  P[V/x] 

trmeta  C,  (•;  V/x,  •)>(?/>;  d)  =*>  $;  C  >  (?/>;  V/x,  8) 
trnew  ::  <7 1>  v  pL .  D  =>  pL;  (7,  (ApL.  (•;•))  t>  P 

trnewC  ::  <E>,  pL;  (7,  (ApL.  (•;  •))  >  <5  =>  <7  >  ApL.  (^;  <5) 

trcase  ::  <f>;  C  >  case  (?/>;  <5)  of  0.  ==»  <7  >  (?/>;  5)  ~  0 

tryes  ::  $;  C  >  (^;  5)  ~  (fi,  (^>7  >  ip'  i->  P))  =>  $;  (7  >  P^";  <5] 
if  there  exists  a  ip"  s.t.  (?/>';  Ma)  o  (^/>";  5)  =  (ip-,  <5) 
trno  ::  <J>;<7>  (ip;S)  ~  (fi,  (^'  >  ip'  h4  P))  =>  $;  (7  >  (V>;  d)  ~  D 
if  there  is  no  ip"  s.t.  Wa)  o  (ip";  S)  =  (^;  8) 


- trid 

S  =^>  S 


Si  =>  S2  S2  5.3 

- trstep 

5j  53 

A. 4  Typing  Rules  for  Continuations 

Judgments 


Valid  continuations:  $H(7gT 
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Rules 


- tcdone 

$  I -  *  e  F  =$■  F 

§\-  C  €  F]  =>  F  $,  T;  A  P  P  G  Pi 
P  P,  let  •  in  P  G  (S';  A)  =>  F 


tclet 


$\~C(zFi  A  F2=>F  •  P  P  G  P2 

- tcpair 

<I>  P  P,(.,P)  G  Pi  =►  F 


$  P  P  G  Pi  A  P2  =>  P  $:  •  P  U  G  Pi 
- tcmix 

<FPP,(U,.)gP2^P 


$  P  C  G  3x  :  A.  P,  =>  P  [$1  P  M  :  A 

- tcinx 

$  I -  P,  (M,  •)  €  Pi  [id#,  M/x]  =*■  P 

$hCG(f;xGFi,A)^P  <P;xGPi  PP:  T;A 

- tcfst 

$  h  C,  (x  £  P]  =  7Ti  •,  P)  G  Pi  A  P2  =4-  P 

$hCG($;xGf2,A)^P  $;x£F2hD:f;A 

- tcsnd 

$  h  P,  (x  G  P2  =  7t2  •,  P)  G  Pi  A  P2  =>  P 

$hCG  ($;xGPi,A)  =»P  $;x  G  Pi  P  P  :  $;A 

- tcassign 

$  P  P,  (x  G  Pi  =  •,  P)  G  Pi  =>  P 

$  P  P  G  ($;x  G  Pi,  A)  =>  P  $;-PFgP, 

- tcmeta 

$  P  P,  (•;  U/x,  •)  G  ($;A)  =»  P 

$hCG  (x  :  A,  T ;  y  G  Pi ,  A)  =>  P  <F,x  :  A;y  G  P]  P  P  G  T;  A 

- tcsplit 

$  P  P,((x  :  A,y  G  P,)  =  «,P)  G  3.x  :  A.  P,  =>  P 

$  P  P  G  (x  :  A,T;y  G  Pi, A)  =>  F  [$J  P  M  :  A  •  P  V  G  Pi  [id*,  M/x] 

- tcsubst 

$PC,  (M/x,  •;  V/y,  •)  G  [id#,M/x](\l>;  A)  =>  P 

$PCG  (5;;y  G  P]  [id#,  M/x],  A)  =»  P  [$]  P  M  :  A  $;y  G  Pi  [id#,  M/x]  PPG  T ;  A 

- tcApp 

$  P  P,  (y  G  Pi  [id#,  M/x]  =  •  M,  P)  G  Vx  :  A.  F\  =►  P 

$P  PG  (f;xG  Pi[id#,p'/p],A)  =»  P  [$]  P  p  =  p'  $;  x  6  Pj [id#,  p' /p]  P  P  £  1';  A 

- tcapp 

$  P  P,  (x  G  Pi  [id#,  p'/p]  =  •  p',  P)  G  n/.  P,  =#  P 

$  P  P  G  npL.(4';A)  =>  P 

- tcnew 

$,  pL  P  P,  (A/.  (.;.))  G  (tf;  A)  ^P 
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Judgments: 


Rules: 


Valid  states:  P  S  6  F 


$\~  C  e  Fi  =>  F  §;-\-  P  €  Fi 
P($;C>P)eF 


tsprg 


$hC€($;A)4F  $;-PF>€$;A 

P  ($;C>D)6F 


tsdec 


$  P  C  €  Fi[ip]  =>  F  $;•  P  */>;  (5  :  A  ^APIIgFi 

- — - tscase 

P  ($;Ci>(tM)  ~  ft)  G  F 


$P(76($;A)^F  $;•  P  €  $,  \P;  A 

P($;C>^;(5)eF 


tssub 
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Appendix  B 


Operational  Semantics 


B.l  Preliminiaries 

B.l.l  Abstraction 

Lemma  6.5  (Well-definedness  of  abstraction) 

1.  For  all  contexts  Ti 
</ri,r2  I”  A  :  type 
then  Ti  b  IKY  A  :  type 

2.  For  all  contexts 

*/rl9r2  \r  M  :  A 

then  T i  b  Ar2.  M  :  nF2.  A 

Proof:  ,  using  Lemma  6.3.  A  detailed  proof  can  be  found  in  Appendix  B.l. 

Proof:  by  induction  over  ^(1)  and  r2(2) 

1.  Case:  T2  =  •: 

Ti  b  A:  type 
r i  b  II*.  A  :  type 

Case:  F2  =  x  :  A'.T^: 

Case:  A!  -ft  A: 

Ti,x  :  A\Tf2  b  A  :  type 

V  ::  Ti,  r'2  b  A  :  type 
Ti  b  nr^.  A  :  type 

Fx  b  lix  :  r'2.  A  :  type 

Case:  A!  -<  A: 

V  ::  Ti,  x  :  A',  T2  b  A  :  type 
Fx, x  :  A!  b  Iir2.  A  :  type 

Ti  b  Tlx  :  A*.  (Iir2.  A)  :  type 
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1.  □ 


by  assumption 
by  Definition  6.4 


by  assumption 
by  Lemma  6.3  (2) 
by  i.h.  on  V 
by  Definition  6.4 


by  assumption 
by  i.h.  on  V 
by  rule  fampi 
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Ti  l-n(®:  A',T'2).  A -.type 


by  Definition  6.4 


2.  Case:  T2  =  •: 

T\\~  M  :  A 
Tj  hA-.M:  IL.A 


Case:  =  x  :  A',r2: 

Case:  A'  -ft  A: 

Tux  :  A',T'2  b  M  :A 
V  ::Y\,T'2\-  M  \  A 
rl  b  xt'2.m  :  ITH,.  A 
T]  b  X(x  :  A',  H>).  M  :  n(.r  :  A',  H,).  A 

Case:  A'  -<  A: 

DA^rA'r^hM:  A 
r i ,  x  :  A'  b  XT'2.M  :  n T'2.A 
r,  b  A.t  :  A'.  AH,.  M  :  ILr  :  A'.  (nH,.  A) 
Tj  b  A(:r  :  A',  r2).  M  :  II(j;  :  A'.  r'2).  A 


by  assumption 
by  Definition  6.4 


by  assumption 
by  Lemma  6.3  (2) 
by  i.li.  on  V 
by  Definition  6.4 


by  assumption 
by  i.h.  on  V 
by  rule  objlam 
by  Definition  6.4 


□ 

Lemma  6.7  (Abstraction) 

.  1.  If  £  ::  $0,/;-  b  i/n,  p/p,if;8  G  4'i,p*',  40  A 
and  V  ::  4>0;  ■  ip\;-  €  4>i;- 

then  $<,;•  b  i/>i  ,if>';8'  G  4>i,  4>';  A' 
and  if>';  8'  =  XpL.  {if;  8) 
and  ^';A'  =  Up1.  (<Y;  A) 

2-  If^>o,pL;-  b  i/)Up/p;8  €  $i,pL;  A 
and  V  ::  4'0;  •  b  if>p,-  G  4>i;- 
then  4/o;  •  b  if)\;8'  G  4/ 1 ;  A1 
and  •;  8'  =  XpL.  (•;  5) 
and  •;  A'  =  UpL.(-;A) 

Proof: 

1.  by  induction  on  40 
Case:  4/  =  • 

£  ::  4>0 ,pL;- b  if)Up/p;8  G  4>i,p/y;A 
Qi  ::  4/0;-  bVfi;<5'  £  4'i;A' 

0.2  ::-;8' =  XpL.{-;  8) 

Qz::  -;A' =  UpL.{-;  A) 


by  assumption 
by  i.li.(2)  on  £,V 
by  i.h. (2)  on  £,  V 
by  i.h. (2)  on  £,  T> 
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Case:  <F  =  x  :  A,  >F' 


£  ::  Fo iPL\ •  F  V’l ,  p/ p,M/x,  tp';  S'  £  'i'x  ,pL, x  :  A, F';  A'  by  assumption 

£\  ::  F0,pL  I-  M  :  A[ipi,p/p]  by  several  inversion  steps 

Up.A[ipi,p/p]  Lemma  6.5(2)  on  £\ 

(Up.  A)[ipi\  Definition  LF  substitution 

£z  ::  ,pV  F  ipi,  Xp.  M/x,  p/p,ip’-,8'  £  Fi,z  :  lip.  A,pL,  F";  A" 

by  limited  LF  exchange  property 


£2  ::  F0  F  A p.M 
£2  Fo  F  A p.  M 


£4::F";A"  =  [(;rp)/:E](F';A') 

V\  ::  Fo;  •  F  tpi,Xp.  M/x;  ■  £  Fi,x  :  lip.  A;  • 

Qi  ::  F0;-F^i,A p.  M/x,  Ip")  6"  £  V^x  :  IIp.A,F"';  A"’ 

V2  ::  ip";  8"  =  XpL.  (ip1-,  S') 

V3  ::  FW;A'"  =  Tip1 .  (F" ;  A") 

Q2  ::  X pL.(M/x,iP'-,6')  =  X p.M/x,iP";6" 

Q3  “  TlpL.  {x  :  A,  'F';  A')  =  x  :  HpL.  A,  F^4);  A^4) 

Ui  ::  F(4);A<4)  =UpL.([(x  p)/x](^';A'))  =  TlpL.(^";A")  =  ^m;A 


trivial 
by  sass  on  V£ 2 
by  i.h.(l)  on  £4,T>\ 
by  i.h.(l)  on  £4,  T>\ 
by  i.h.(l)  on  £4,2?! 
by  rpass  and  V2 
by  rass 
by  rass 


m 


2.  by  induction  on  A: 

Case:  A  =  • 

*05-  F^i;-  €  dis¬ 
ease:  A  =  x  £'F,  A' 

£  ::  $0 ,PL;  ■  F  ipi ,p/p;P/x,S'  £  F1;pL;x  £  F,  A' 
£ 1  "  ^o,PL;-  F  ipup/p;S'  £  Fi,pL;A' 

Vi  ::  F0;  •  F  ipi;6"  £  Fi;  A" 

V2::-;5"  =  XpL.(-;S') 

P3  ::  S  A"  —  npL.  (•;  A') 

Qi  ::  F0;  •  F  ipi; X pL .  P/x,  8"  £  F4;  x  £  Tip1.  F,  A" 
Q2  ::  XpL.(-;P/x,d')  =  •;  A pL.P/x,8" 

Qz  ::  npL.  (•;  x  £  F,  A')  =  ■;  x  €  II pL .  F ,  A" 


by  assumption  V 


by  assumption 
trivial 

by  i.h.(2)  on  £\,V 
by  i.h.(2)  on  £\%  V 
by  i.h.(2)  on  £\,V 
trivial 
by  rpmeta  on  V2 
by  rmeta  on  P3 


□ 


B.1.2  Substitution 

Lemma  6.20  (Substitution  lemma  for  meta-substitutions) 

1.  J/X>::  tfjAbPeF 

and  V  ::  A'  b  G  A 

then  $';A'b  P[il>\S\ 

2.  IfV  ::  $;AhDe  A" 

A' b  </>;<*  G$;A 

then  A'  b  D[ijj;  5]  G  [^,  id^n]  A". 
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3.  IfV\  ::  ^2;  A2  b  €  ^i;Ai 
and  P 2  ::  4/3;  A3  b  V;2 •  ^2  £  ^;2i  A2 
then  4>3;  A3  h  (V’l^i)  °  (^2^2)  <E  ’J'ijAj 

and  0  O/v; ^2)  =  (Vd  for  some,  meta-subsitution  S' 


Proof:  by  simultaneous  induction  over  P(l),  P ( 2) .  and  Pi (3). 


Pi 

(x  6  P)  €  A 

1.  Case:  P  = - axvar 

$;Ah  x  G  F 

£  ::  x[V»;  d]  =  d(x) 

A';  4''  b  <J(x)  €  F[ip] 

Case:  P  = - RT 

$;Ah{)eT 

e--  <>M  =  <> 

Q  ::  4'';  A'  b  ()  G  T 


by  inversion  on  £ 
by  Lemma  6.19  (1)  on  P.  T>\ 


by  assumption 
by  RT 


Pi 

ty,x  :  A;  A  b  P  G  F 

Case:  P  = - RV 

4>;  A  b  A x:A.P€  V® :  A.  F 

V\  ::  4V,  x  :  A [1/1] ;  A'  b  i/>,x/x:  S  :  I',  x  :  A:  A 
£  ::  (A®  :  A.  P)[i/>:  6}  =  Ax  :  A[ij)}.  P' 

£]  ::  P[i/),x/x;  d]  =  P' 

Qi  ::  4'',®  :  A[y>];  A'hP'e  F[^,®/®] 

C  ::  A'  h  A:c  :  A [1/1].  P'  G  V®  :  A[V>].  F[i/>,  x/x] 
Q  ::  4'';  A'  b  A®  :  A [1/1].  P'  G  (V®  :  A.  F)[iji] 


by  Lemma  6.16  (2)  on  V 
by  assumption 
by  inversion  on  £ 
by  i.h.(l)  on  Pi, Pi  and  £\ 
by  RV  on  Q\ 
by  sAII 


Pi 

L/;Ah  PGP 

Case:  P  = - RI1 

$;Ah  XpL.Pe  UpL.  F 

Pi  »  4»',  {[^]p)Li  A'  b  Vd  [V'W#  3  :  4»,pL;  A 
(ApL.P)[Vi;d]  =  A([Vi]p)^.P' 

£1  ::  P[ip  Mp/p;  <5]  =  P' 

Si  "  ([V’]p)L;  AAP'e  P[Vb  [0]p/p] 

S  ::  4'';  A'  b  A([y,]p)L.P'  G  n([V>]p)L.  Fty,  [V’Wp] 
Q  ::  A'  b  A([t/>]p)l.  P'  G  (IIpP  F)[$ 


by  Lemma  6.16  (2)  on  P 
by  assumption 
by  inversion  on  £ 
by  i.h.(l)  on  Pi, Pi  and  £\ 
by  RII  on  Qi 
by  sAIIP 


Pi  P2 

4>  b  M  :  A  4»;  A  b  P  G  F[M/x] 

Case:  P  = - R3 

4*;  A  b  { M,P )  G  3®  :  A.F 
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P'  ::  d>'  h  ip  G  d> 

Qi  ::  V  b  M[</>]  : 

5::  {M,P)[ip-,8]  =  {M[iP),P') 

£1  =  P' 

Q2  ::  $';A'hP  G  P[Af/a;][^] 

Q2  -  d/';  A'  b  P'  G  F[ip,x/x][M[ip]/x] 

Q  ::  d>';  A'  b  (M[ip\,P')  G  3a; :  A[i/>].  P[i/>,  z/a;] 
Q::V;A'\- {M[iP],P')  e{3x:A.F)[ip] 


by  Lemma  5.21  on  V 
by  Lemma  6.2  on  V  and  'D\ 
by  assumption 
by  inversion  on  £ 
by  i.h.(l)  on  V, T>\  and  £\ 
by  Lemma  6.14  (1) 
by  R3  on  Qi,  Q2 
by  sEx 


T>i  V 2 

d*;  A  b  Pi  G  Pi  d>;  A  b  P2  G  P2 

Case:  V  = - r/\ 

d1;  A  b  (Pi,P2)  G  Pi  AP2 

£■■  (Pi,P2MS}  =  (P[iPi) 

£i  ::Pi[tP;6]=P[ 

£2::P2[ip-,8]^P’ 

Qi  ::V;A'\-P{  GPi[i/>] 

Q2  ::  dd;A'bP'  GP2[i/>] 

Q  ::  dP;  A'  b  (P[,P^)  G  Pi  [ip]  A  F2[ip] 

Q::  ^';A'l-(P1',P')G(PiAP2)[^] 


by  assumption 
by  inversion  on  5 
by  inversion  on  £ 
by  i.h.(l)  on  P,  Pi  and  £\ 
by  i.h.(l)  on  V,  V2  and  £2 
by  RA  on  Qi,  Q2 
by  sAnd 


Case: 


P  = 


Pi  P2 

d>;  A  b  D  G  d>";  A"  $,$";A,A"hPGF 


$;Ah  let  D  in  P  G  P 


£  ::  (let  D  in  P)[ip;  <5]  =  let  D'  in  P' 

£1  ::  D[if>-,6]  =  D' 

Q 1  ::  d'';  A'  b  D'  G  [</>]$";  [^,id#»]A" 

P2  ::  d>',  [-0] SP" ;  A',  [-0,  id^,//]A"  b  V’,  id^,// ;  5,  idA» 

£2  ::  P[ipi idvp";  8, id^"]  =  P' 

Q2  ::  d/,  [ip]^";  A,  [ip,  idq,»]A"  b  P'  G  F[ip,  id^//] 
Q2  ::  d»,  [ip]^";  A,  [1/),  id^'/jA"  b  P'  G  P[i/>] 

Q  ::  d'/;  A'  b  let  D'  in  P'  G  F[iP] 


by  assumption 
by  inversion  on  £ 
by  i.h.(2)  on  P,Pi  and  £1 
'L,  d<";  A,  A" 

by  Lemma  6.16  (3)  on  Pi 
by  inversion  on  £ 
by  i.h.(l)  on  P2,P2  and  £2 
trivial 
by  sel  on  Qi,  Q2 


Pi 

d';  A,x  €  F  b  P  G  F 

Case:  P  = - pctx 

dr;Ab/ixGPPGF 

Pi  ::  d'';  A',  x  G  F[tp ]  b  ip\  8 ,  x/x  :  d>;  A,  x  G  P 
£  ::  {fix  G  P.  P)[i/>;  <J]  =  /xx  G  P[#  P' 

£1  ::  P[^;  <5,  x/x]  =  P' 

Qi  ::d,';A',xGP[V’]bP'GP[?/>] 

Q  ::  d,/;  A'  b  /xx  G  P[#  P'  G  P[i/>] 


by  Lemma  6.16  (3)  on  P 
by  assumption 
by  inversion  on  £ 
by  i.h.(l)  on  Pi, Pi  and  £1 
by  Rctx  on  Qi 
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D]  V  2 

9f;Ah  V"; A"  A"  b  f2  G  F 

Case:  7?  = - case 

$;Ah  case  «;  A")  of  fl  G  F  [-<//'] 

£  ::  (case  8")  of  fi)^;  <5]  =  case  (?/F;  8")  o  (ij>:  £)  of  II 

F::(V/;<50  =  (V’V")°(<M) 

F]  ::  F';  A'  b  V/;  tf'  :  \t'";  A" 

T‘2  ::  tj>'  —  ij)"  o  ?/; 

Q  ::  'L7;  Ar  b  case  ^w)  °  (^;  <5)  of  f2  G  F[^w  °  V;] 

Q  ::  A'  b  case  (V/';  <f")  o  (V>;  A)  of  fi  e  F[V’"M 


by  assumption 
by  i.h.(3)  on  V,  T>\ 
by  i.h.  (3)  oil  V,V\ 
by  i.h.  (3)  on  V ,  T>\ 
by  case  on  Fi,V2 
by  definition 


2.  Case:  P - Ldone 

A  b  •  G  • 


£  ::  [#  =  • 

by  assumption 

by  Ldone 

G::®';  A'b  - €[#;[# 

by  clef,  substitution 

Pi  ::  S(L)  =  SOME  Cj.  BLOCK  C2 

P2-  ::  $  b  o-  :  Cj 

T 

III 

P4  ::  ^FAhflefiA" 

Case:  V  =  Lnew 

$;Ah  u  pL.De  npL.(^";A") 

£  ■■■■{!'  PL ■  D)[tl> ;  8]  =  u  {[^}p)L.  D' 

by  assumption 

£,  ::  D'  =  Dfy,[i/>}p/p:S] 

by  inversion  on  £ 

Pi  ::  {[^}p)L;  A'  b  tp,  [i>]p/p;  8  :  <!»,  pL- A 

by  Lemma  6.16  (2)  on  V 

.  Q4 ::  ([V’]p)  ;  A'ffi'e  [v^,  {^\p/pW\  [if>,  [V’]p/p-  id*«]A" 

by  i.h. (2)  on  Vi)V\  and  £\ 

Q2  ::  4»'  b  a  o  ?/;  :  Cj 

by  Lemma  6.12  (1) 

Qs  ::  F'  b  [ip]p  =  C2[a  o  i/>] 

by  Lemma  6.12  (2) 

Q  ::  A'  b  u  {[^)p)L .  D'  G  n([#?)L.  (ty,  [V'Wp]*" 

;  [Va  W\pIpMv’]  a") 

by  Lnew  on  V\,  Q> 2,  and  Q\ 

G  ::  A'  b  */  £>'  G  (II/.  A"))[V>] 

by  Lemma  6.17 

V\  ::  $;Ah  P  eVx:  A.F 
P2  ::  b  M  :  A 

P3  ::  A,  y  G  F[M/.r]  b  D  G  F";  A" 

Case:  P  = - LV 

$;Ahy£  F[M/x\  =  PM,De  y  G  F[M/a:],  A" 

£  ::  (y  €  F[M/x ]  =  P  M,  D)[xjr,  <5]  =  (y  G  F[M/x}[iJ>}  =  P'  D') 

by  assumption 
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£1  ::  P[ip;  5]  =  P'  by  inversion  on  £ 

£2  ::  6 ,  y/y]  =  D'  by  inversion  on  £ 

Q\  ::  4>';  A'  P  P'  G  Vx  :  Aty].  Pfo/*,®/®]  by  i.h.(l)  on  V,T>i  and  £\ 

0,2  4£  P  :  A[ip ]  by  Lemma  6.2 

Vi  ::  4E*';  A',y  G  P[M/a:][V>]  P  ip',S,y/y  :  $;A,y  £  P[M/a;] 

by  Lemma  6.16  (3)  on  P 

Q3  ::  A',  y  G  F[M/z][V>]  HD'g  [$*";  [V>,  id*«]A")  by  i.h.(2)  on  Vu  £>3  and  £2 

<23  ::  4/';  A',y  G  F[if},x/x][M[tp]/x]  P  D'  G  [^]4F;  [^>,  id$»]Aw  by  Lemma  6.14  (1) 
Q  ::  A'  P  y  G  F[ip,x/x][M[ip]/x]  =  P'  M[ip\,D' 

G  [*/»]$";  y  G  F[if>,x/x][M[^]/x],[^,\ d*»]A" 

by  LV  on  Qi,  S2,  and  Q3 

Q  ::  A'  P  y  G  F[M/a;][</>]  =  P'  Afty],  D' 

G  [?/>]4/";y  G  PfM/x]^],  [^,id^»]A"  by  Lemma  6.14  (1) 

Q  ::  4>';  A'  P  y  G  F[M/x][i/>]  =  P'  Afty],  D' 

G  [^]4;";  [V>,idvp«](y  G  F[M/x],  A")  trivial 

Pi  ::  4>;  A  P  P  G  IIpL.  P 
P2  ::  p,L  G  $ 

P3  ::  4>  P  p'  =  p 

Vi  ::  $;A.y  G  P[p7p]  PPG  A" 

Case:  P  = - LIT 

4>;  A  P  y  G  F[p7p]  =  P  p',D  €  4>";  y  G  F[p'/p],  A" 

£  ■■  (y  G  P[/o'/p]  =  P  p',D)bl>;fi]  =  (y  €  F[p7p][7]  =  p'  [ip]p',D')  by  assumption 
£\  ::  <))  =  P'  by  inversion  on  £ 

£2  ::  D[i/j;  6,  y/y]  =  D'  by  inversion  on  £ 

V  ::  4£  P  ip  G  4*  by  Lemma  5.21 

Qi  ::  4>';  A'  P  P'  G  n ([?/>] p) L.  F[ip,  p/p]  by  i.h.(l)  on  V,  Pi  and  £1 

Q2  ::  ([ip]p')L  G  4/'  by  Lemma  6.19  (2) 

Qz  ::  4/'  P  [s/ijp'  =  |7]p  by  Lemma  6.23  on  V'  and  P2 

Pi  ::  4/';  A',  y  G  F[/o'/p][V’]  P  ^]S,y/y  :  4>;  A,y  G  F[p'/p]  by  Lemma  6.16  (3)  on  P 
Qi  ::  4d;  A',y  G  F[p' / p][ip]  P  D'  G  [V’j  id$»]A"  by  i.h.(2)  on  Pi,  P4  and  £2 

Qi  ::  4/';  A',y  G  P[^>,  p/ p][[i(>]p' / p]  PD'g  [^,id*"]Aw  by  Lemma  6.14  (2) 

Q  ■■  W;  A'  p  y  G  P[V>,p/p][[V’]p7p]  =  -P'  [V^-D' 

G  M$";ye  P[V>,p/p][[V>]p7p]>  [V’pdif/'jA" 

by  LII  on  Qi,  Q2,  Q3,  Q4 

G  "  A'  P  y  G  F[p7pM  =  P'  W,D'  g  [V>]4>";y  g  F[p7/°M  [</>,id*»]A" 

by  Lemma  6.14  (2) 

Q  "  4/';  A'  P  y  G  i'V/pM  =  P'  bP]p',  D'  G  [V>]4/";  [</>,  id«p"](y  G  P[p7p],  A")  trivial 


Pi  P2 

•PeQgDP'.P  4';A,yGFPE;5DG4'";A" 

Case:  P  = - 

4>;  A  PE;5  y  G  F  =  lemma  Q,D  e  4 y  G  P,  A" 

£  ::  (y  G  P  =  lemma  Q,  D)^;  <5]  =  (y  G  P  =  lemma  Q,  D') 
£1  ::  P[V>;5,y/y]  =  £>' 


by  assumption 
by  inversion  on  £ 
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F[%/)]  =  F  F  is  closed 

.  •  V\  ::  4b;  A',  y  G  F  b  ip;  8,  y/y  :  4>;  A.y  G  F  by  Lemma  6.16  (3)  on  V 

Qi  ::  't'A'ye  FhD'e  [V>]4-";  [if,,  id*„]A"  'by  i.h.(2)  on  Vl,V2,£l 

Q  ::  4b,  A'  hy  GF  =  lemma  Q,P'  e[^;y  €  F,[V;,id*»»]A"  by  L5  on  Vl,Q] 
0  ::  A'  b  y  G  F  =  lemma  Q,  D'  G  [V#";  [ip,  id*„](y  G  F,  A")  trivial 

Pi  P2 

$;AhFe3i:AF  $,i:  AA,y  efhDe  4>";  A" 

Case:  P  = - - L3 

V;A\-{x:A,yeF)  =  P,Dex:A,  4'";  y  G  F,  A" 

£  ::  {{x  :  A,y  €  F)  —  P,D){ifr,8 }  =  ((.t  :  A[if)],  y  G  F[Vb  :r/-7;])  =  F',P') 

by  assumption 

£\  ::  P[if>;8\  =  P'  by  inversion  on  £ 

£i  ::  D[i/>,x/x;8,  y/y]  =  D'  by  inversion  on  £ 

Q\  ::  4b;  A'  b  P'  G  (3.r  :  A[if)\.  F[ip,  x/x})  by  i.h.(l)  on  P,P]  and  £\ 

V\  ::  4b,  x  :  A[il>]\A'.y  G  F[ij),x/x]  b  if),  x/x:  S.  y/y  :  4/,  a;  :  A;A,y  6  F 

by  Lemma  6.16  (3)  on  V 

0.2  ■■  4'',  x  :  A[if>\;  A',  y  G  F[i/b  x/x]  b  D'  G  [V#";  [Vb  id,HA" 

by  i.li. (2)  on  V\,V2  and  £2 

Q  ::  4b;  A'  b  ((x  :  ^4[V^],y  €  F[if>,  x/x])  =  P',  D') 

G  x  :  A[iJ],  [V>]4>";y  £  F[i/),x/x],  [y>,  idy«]Aw 

by  L3  on  Q  \  and  Q2 

Q  ::  4b;A'  b  ((x  :  A[i/>], y  G  F[if>,x/x])  =  P',D')  G  [p](x  :  A  4'");  [Vb id#»](y  G  F,  A") 

trivial 


Case:  P  = 


Pi  P‘2 

4b  A  b  P  G  Fi  AF2  *;A,x  G  Fj  b  D  G  S'";  A" 
4>;  A  b  X  G  F]  =  7T]  F,  P  G  4'";  x  G  Fi ,  A" 


LA, 


£  ::  (x  €  F\  =  7rj  P,D)[tjy,S\  =  (x  G  Fi  ['(/’]  =  7Ti  P',D')  by  assumption 

£]  ::  P[if);8]  =  P'  by  inversion  on  £ 

£■1  ::  D ['(/: ;  (5,  x/x]  =  D'  by  inversion  on  £ 

Q\  ::  4b;  A'  b  P'  G  F[[i/]  A  F2[t/>]  by  i.h.(l)  on  P,Pj  and  £\ 

V\  ::  4b;  A',  x  G  Fi  [ if) ]  b  8 ,  x/x  :  4b  A,  x  G  Fi  by  Lemma  6.16  (3)  on  V 

Q‘2  ::  4/';  A',  x  G  F]  [V7J  b  D'  G  [t/>]4b';  [Vb  idq,»]A"  by  i.li.(2)  on  Fj ,  P2  and  <?2 

Q  ::  4>';  A'  b  (x  G  Fi[ip]  =  tt,  F',P')  G  [V']4'";x  G  Fi  [</’],  [Vb'kV]A" 

by  l_A|  on  Qi  and  Q2 

Q  ::  4/';  A'  b  (x  G  F]  [V’]  =  P D')  €  [V;]4'";  [if),  id«i,»](y  G  Fi ,  A")  trivial 


Case:  P  = 


Vx 

4>;  A  b  F  G  Fx  A  F2 


Fi 

4»;  A,x  G  F2  b  D  G  4'";  A" 


4b  A  b  x  G  F2  =  7t2  F,F  G  4/";x  G  F2,  A" 
£  (x  G  F2  =  tt2  F,  P)[V>;  <5]  =  (x  G  F2[0]  =  tt2  F,  P') 


la2 


by  assumption 
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£\  ::  5]  =  P1  ,  by  inversion  on  £ 

£2  ::  D[ip;  5,  x/x]  =  D'  by  inversion  on  £ 

Qi  ::  'L';  A'  h  P'  6  Fi[ip]  A  -P2 ["0]  by  i.h.(l)  on  V.  V\  and  £\ 

V\  ::  A',x  G  F2[ip]  b  ?/>;£,  x/x  :  $;A,x  6  P2  by  Lemma  6.16  (3)  on  V 

Q2  ::  A',  x  G  P2[</>]  hP'e  [$$";  [</>,  id*»]A"  by  i.h.(2)  on  VUV2  and  £2 

Q  ::  ’L';  A'  b  (x  G  P2[V>]  =  tt2  P',  D')  G  M’L";  x  G  P2[V>],  [</>,  id^]A" 

by  LAi  on  Qi  and  Q2 

Q  ::  *L';  A'  b  (x  G  F2[^>]  =  7r2  P',  D')  G  [V’j’L";  [Vb  id>i<"](y  G  F2,  A")  trivial 


V[ 

^2  b  V’l  ^  'Ll 

3.  Case:  Pi  = - sabstract 

$2;A2  b^ib  G  d/i;  • 

Qi  ::  L3  b  i\)2  €  d<2 
Q2  ”  ^3  b  Vb  0  V>2  G  ’Ll 

Pi  ::  ^3;  A3  b  (V>i  o^j);.  G  ’Ll;  • 

P2  ::  $3^3  b  (^i;-)  o  (fo'ifa)  £  ’Ll;- 


by  Lemma  5.21  on  P2 
by  Lemma  5.18  on  T>[,  Q\ 
by  sabstract  on  Q2 
by  Definition  5.19  (cempty) 


V\  V'{ 

$2;A2hPeP^i]  tP2;  A2  b  ip\;S\  G  ’Ll;  Ai 

Case:  Pi  = - smeta 

*L2;  A2  b  -il)i;Si,P/x  G  'Li;Ai,x  G  F 


Qi 

Qi 

Q2 

Q.3 

Pi 

n2 


^3;  A3  b  P[^2;  ^2]  €  P[f/’l]['i/’2] 

'L3;  A3  b  P[tp2;  h]  G  PfV’i  o  ^2] 

^3;  A3  b  (-01 ;  <^i )  0  (02!  ^2)  €  'Ll!  Ai 
(0i;  Ai)  o  (V> 2-h )  =  {tpi  oip2,F) 

^3;  A3  b  (V>1  oip2,S',P[ip2-,S2\/x)  G  ’Ll;  Ai,x  G  F 
^3;  A3  b  (0i;  <5i ,P/x)  O  (-02;  <52)  G  Lx;  Ax,x  G  F 


by  i.h.(l)  on  T>[ . P2 
trivial 

by  i.h.(3)  on  P'/,P2 
by  i.h.(3)  on  P'/,P2 
by  smeta  on  Qi ,  Q2 
by  Definition  5.19  (cmeta) 


□ 

B.2  Strictness 

Lemma  6.30  (Soundness) 

If  V  ::h  <&  o  3^'.  ip  ^  rj{ T }  matchable 

then  there  exists  a  (unique)  rf ,  $  h  rf  G  \J/r  and  ip  o  rjf  —  rj 

Proof:  direct. 

Pi  ::$>3$'.^«?7{T}  >  T{P} 

P2  ::  $>C/{T}  =?»  $>T{T} 

5  *  is  solution  for  T{T} 

there  exists  an  7]  =  •  (<3>  b  rj  G  ♦) 
s.t.  rj  is  a  solution  of  C/{T} 


for  some  J7  by  inversion 
by  inversion 
by  Lemma  6.29 

by  Lemma  6.28(2)  on  P2 
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tj  is  solution  for  U\  AT 

?/  is  solution  for  U\ 

r i  is  solution  for  T  A  U 

r?  is  solution  for  T{[/} 

there  exists  an  rf  ($  h  r/  G  XI;') 

s.t.  if  is  a  solution  of  3'L'.  ip  ~  '//{T } 

ip  o  rf  =  T) 


Lemma  6.32  (Completeness  I) 

1.  If  U\  7^  T 

and  (J>  >  3T.  f/j  { U2}  is  given 

and  rj  (<I>  h  //  €  VI' )  is  a  solution  of  3\P.  U\{Ui} 

and  'I'  I ~  U\  strict 

then<bt>3<S).U1{U2}  =>  &>39'.U'l{U£} 

and  there  exists  an  rf  (<3>  \~  if  G  T'j  which  is  a  solution  of  3 'I'' 

and  T'  h  [/(  strict 

and(\V\,\U[\)<lcxm,  If/,1). 

#.  //  T  =  $  >  3T.  L/ j  { C/2  }  is  given  matching  state- 

then  T  =>  $  c>  T{{7}  for  some  U. 

Proof:  1)  by  inspection  of  the  rules,  2)  by  induction  on  (|\I'|,  \U\  |). 

Case:  (|*i|,  1^1)  =  (0,0). 

T  =  $>T{C/2} 

$>T{[/2}  =^>  T{[/2} 

Case:  (|«'1|,|£f1|)  ^  (0,0). 

T  =  &>3V.Ui{U2} 

$>3 V.Ui{U2}  =>  $>3<!>'.U[{U!i} 

(ini^IXlexdHI^il) 

$  >  3®'.  U[{U'2)  =^>  $  >  T{E7}  for  some  U. 

$  >  3'i>.Ui{U2}  =^>  $  >  T{[/}  for  some  V. 


Lemma  6.33  (Completeness  II) 

1.  If  Upl¬ 
and  $  t>  C/{T)  is  given 

and  •  (<f>  t~  •  G  •)  is  a  trival  solution  for  {/{T} 
then^>U{T}  =»  $>[/'{T} 
and  ■  (<h  h  •  G  ■)  is  a  trival  solution  for  U'  { T } 
and  \U'\  <  \U\. 


by  Definition  6.25 
by  Definition  6.25 
by  Definition  6.25 
by  Definition  6.25 

by  Lemma  6.28(2)  on  X>( 
by  Definition  6.25 

□ 


■uim 


by  Lemma  6,31  (1) 
by  mrefl 

by  assumption 
by  Ui.(l) 
by  i.h.(l) 
by  i.h.(2) 
by  mtrans 

□ 
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2.  IfT  —  ^>U{T}is  given  matching  state 
then  $  t>  U{ T}  =U  <h  >  T{T} 

Proof:  1)  by  inspection  of  the  rules,  2)  by  by  induction  on  \U\. 
Case:  \U\  —  0. 

T  =  $c>T{T} 

$>T{T}  =£»  <ht>T{T} 

Case:  \U\  ±  0. 

T  =  $>U{T} 

=►  $>C7'{  T} 

\U'\  <  \U\ 

$>T{T} 

=^>  $>T{T} 


by  Lemma  6.31  (1) 
by  mrefl 


by  assumption 
by  i.h.(l) 
by  i.h.(l) 
by  i.h.(2) 
by  mtrans 


□ 


Theorem  6.34  (Completeness) 

IfT  =  $>BV.U1{U2} 
and  T>  ::  d/  b  U\  strict 

and  £  ::  rj  (Q  b  g  £  ty)  is  a  solution  of  E3\I/.  Ui{U2} 
then  b  T  matchable 


by  Lemma  6.32(2)  on  V  and  £ 
by  Lemma  6.33(2) 
by  msuccess 

□ 


Proof:  direct 

T  $  >  T {U}  for  some  U 
$»U{T}  $t>T{T} 

b  T  matchable 


Theorem  6.36  (Determinacy) 

IfV  ::  b  ip  €  4- 
and  £  ::  \Er/  b  ip  strict 
and  T  ::  $  b  77  G  ^ 

then  there  exists  a  (unique)  if  (<I>  b  7/  6  ty')  s.t.  ip  o  rj  =  rj 
or  not. 


Proof: 

£'  ::  b  (ip  sa  rj  A  True)  strict 
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by  Lemma  6.27  on  £ 
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Case:  b  <t>  >  =3T'.  xp  «  77  matchable 

There  exists  an  7/  ($  b  7/  G  VI;/)  s.t.  xp  o  7/  =  7; 
Case:  1/  $  >  3T'.  tp  «  7/  matchable 

There  exists  no  7/  (<I>  b  7/  G  T')  s.t.  V;  0  ?/  =  V 


B.3  Big-Step  Semantics 

Lemma  6.37  (Context) 

1.  IfV  ::  <fr;  •  b  idq>,x/r,8  G  4>,  [id*,  [id*.  M/.x.  id*]A 

and  f  ::  [$]  b  M  :  A 
and  V  ::  <I>;  •  b  P  G  F[id*,  M/.x] 

then  •  b  (id*,  M/.x, xj)\  P/y,  d)  G  ($, x  :  A$;y  Gf,  A) 


£  //  X>  *  b  id*,  xp\  8  G  5>,  A 
and  P  b  b  G  F 

then  4>;  •  b  (id*;  </>;  P/y,  d)  G  ($,  T;  y  G  F,  A) 


Proof:  direct  in  both  cases. 

1.  Let  xp*\  8!  =  id*.  M/x,  id*;  P/y,  id^ 

3>,  [id*,  M/.x]4>;  [id*,  M/.x,  id*]  A  b  ?//;d'  G  $,.x  :  A,  :y  G  F,  A 
Let  t//';  d"  —  (^/;  d')  o  (id*,  tp;  d)  =  id*.  M/x,  t/;;  P /y,  d 
$;  •  b  d"  G  <f>,  .x  :d,$;y  GF,A 


2.  Let  xf/:  d'  =  id*,  id*;  P/y,  id^ 

$,$;Ab  7/ /;  d'  E  $,  ®;  ?y  G  F,  A 

Let  ?/>";  d"  =  (?//;  d')  o  (id*,  xJk  d)  =  id*.  -0;  P/y,  d 

$;-bf;d"G$,$;yGF,A 


Theorem  6.38  (Type-preservation) 

L  IfV::$\-P^V 
and  £  ::<£>;•  b  P  G  F 
then  $;*bP  G  P 


by  Theorem  6.30  on  £\T 

by  Theorem  6.34  on  £\T 

□ 


by  definition  substitution 
by  Corollaray  6.21 

by  definition  substitution 
by  Corollaray  6.21 

□ 
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2. 

and  £  ::  •  h  D  E  'J/;  A 

■then  $;  •  I-  (idq>,ip\  <5)  €  ($,  \Ef;  A) 
which  extends  <fr;  ■  h  (id$;  •)  G  ($;  •) 

3.  IfV::$\-(ip-,6)~n^V 
and  T  ::  •  h  ip;  <5  G  'I';  A 

and  £  ::  A  h  £l  G  F 
then  •  h  V  G  F[ip] 

Proof:  by  simultaneous  induction  over  V{1),V(2),V{2>). 

1.  Case:  V  = - . - ev_Lam 

$  h  Aa:  :  A.  P  Ax  :  A.  P 

£  =  §;  ■  \-  Ax  :  A.  P  E  F 


Case:  V  = - evJam 

$  h  \pL .  P  <-¥  A pL.P 

£  =  $;•  h  \pL.Pe  F 


Vi 

Case:  V  = - ev.irix 

$  h  (M,P)  ^  (M,V) 


£  :: 

*;• 

h  (M,P)  G  3x  :  A.F 

£1  : 

■■m 

A-M-.A 

£2: 

h  P  G  F[M/x } 

Qi 

■  h  V  G  F[M/x } 

0,2 

•  h  (M,  F)  G  3 x:  A.F 

Case:  D - ev_unit 

*1-0^0 

£  =  $;-b  (}  £F 


V\  V 2 

$\-D'->ip;8  P[id*,ip;8\'->V 

Case:  V  = - evJet 

$  h  let  D  in  P  ^  V 

£::§;■  \-  let  D  in  P  e  F 
£i  ::  $;•  h  D  G  ^;A 
f2::f,$;AhPeF 
Qi  •  h  id$,t/>;  tf  :  A 

P3  ::$;-HP[id<f>,^;<5]  =  P' 

D4  ::  $;  •  b  P'  V 


by  assumption 


by  assumption 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(l)  on  V\,  £2 
by  R3  on  £\  and  Q\ 


by  assumption 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(2)  on  V\,£\ 
by  definition  of  T>2 
by  definition  of  V 2 
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Q2::$;-bP'GP[  id*,$ 
Q2  ::  $;  •  h  P'  6  P 
Q  ::  $;•  h  V  G  F 


Pi 

$  h  P[/ix  G  P.  P/x]  «-►  V 

Case:  T>  = - ev.rec 

4>  h  fix  G  F.  P  <->  V 

£  ::  4>;  •  h  fix  £  F.P  £  F 
Si  ::  $;x  €  F  h  P  G  F 
P2  P[//x  G  F.  P/x]  =  P' 

X>3  ::$hP'sF 
P  •  b  id<j>;  •  :  • 

Pi  ::  4>;  •  H  id<j>;  //x  G  P.  P/x  :  $;  x  G  F 
Qi  ::  $;•  h  P'  G  P 
Q  ::  4>;  •  h  V  G  P 


Pi  P2 

4>  h  Pi  «->  Vi  <I> 

Case:  P  = - ev_pair 

$h(Pj,P2)^(V,,F2) 

b  <Pi,P2)  G  Pi  A  P2 
Si  •  h  Pi  G  >1 
£2  ::  4>;  •  b  P2  G  P2 
Q\  ::  4>;  •  b  V]  G  Pi 
0.2  ::  4>;  •  h  F2  G  P2 
Q  ::  4>;  •  b  {V\ ,  V->)  G  P|  A  P2 


Pi 

$  b  (V>;  (5)  ~  «->  V 

Case:  P  = - ev_case 

4>  b  case  (1/;;  <$)  of  U  t-»  V 

£  ::  $;  •  b  case  (1/1;  5)  of  ft  G  P[V>] 

5]  •  h  1/;;  <5  :  T;  A 

52::4';Ahfi6F 

Q::$;.hVGP[0] 


2.  Case:  P  = - ev_empty 

$b  •«->•;  * 

4>;-  b  id$;-  G  4>;  • 


by  Lemma  6.20(2)  on  <?2,P;i 
P  closed  on  T 
by  i.li.(l)  on  P4,  Q2 


by  assumption 
by  inversion  on  £ 
by  definition  of  P 1 
by  definition  of  Pi 
by  Lemma  6.22 
by  smeta  on  £,V 
by  Lemma  6.20(1)  on  Pi, Pi 
by  i.h.(l)  on  P.j,  Q\ 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(l)  on  V\.£\ 
by  i.h.(l)  on  T>2,£2 
by  RA  on  Q\ ,  Q2 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(3)  on  P i,£i,£2 


by  Lemma  6.22 
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Case:  V  = 


Vx 

$  b  PM.  (M,  V) 


$  b  P>[id#,  M/x;  V/y]  -4  V’;  <5 


$  b  (a: :  A,  y  €  F)  ■=  P,  D  c-t  M/x,  ip]  V/y,  5 


ev_split 


£  ::  $;  •  b  (x  :  A,  y  G  F)  =  P,  D  G  x  :  A,  '3>;  y  G  F,  A 

Si  ::$;-bPG3x:  A.P 

£2  ::  $,  x  :  A;  y  G  F  b  D  G  \I>;  A 

Qx  b  (M,V)  G  3x  :  A.F 

Q2  ::  [$]  b  M  :  A 

Q3  ::  $5  •  b  F  €  F[id#,  M/x] 

D3::  $;-bD[id#,M/x;E/y]  =D' 

P4  "  $  b  £>'  «-»•  6 

Vi  b  id#;-  :  $;  • 

V2  •  b  id #,M/x;  •  G  $,x  :  A;  ■ 

V  ::  $;  •  b  id #,  M/x;  V/y  €  $,x  :  A]  y  £  F 
Tlx  •  b  D'  G  [id*,  M/x]$;  [id*,  M/x] A 
P2  ::  3>;  •  b  id*,  ip]  8  6  $,  [id#,  M/x]’!';  [id* ,  M/x]A 
P  ::<&;•  b  id*,  M/x,  ip]  V/y,  8  £  <&,  x  :  A,  \I/;  y  £  F,  A 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(l)  on  V \,£i 
by  inversion  on  Ch 
by  inversion  on  Qi 
by  definition  of  X>2 
by  definition  of  Z>2 
by  Lemma  6.22 
by  sass  on  Q2,  Pi 
by  smeta  on  Q3,  P2 
by  Lemma  6.20(2)  on  P,  P3,£2 
by  i.h.(2)  on  72i,  P4 
by  Lemma  6.37(1)  on  P2,  Q2,  Q3 


Case:  V 


Vi 

P  <-)•  Ax  :  A.  P' 


Vo 

$  b  P' [id#,  M/x] 


V3 

$  b  D[V/y\  <->ip]8 


$  b  y  G  F[ id*,  M/x]  =  P  M,  D  m-  ip]  V/y,  8 
£::$;•  b  y  G  P[id#,  M/x]  =  PM,I)ef;ye  F[id#,  M/x],  A 


ev_App 


£1  ::$;-bPGVx:A.P 
£2  ::  [$]  b  M  :  A 

£ 3  ::$;y6  P[id#,M/x]  bfiG^A 
Qi  ::$;-bAx:A.P' gVx:M.P 
Q2  ::$,x:  A;  •  b  P' G  F 
Pi  b  P' [id#,  M/x]  =  P" 

P2  $  b  P"  «->  E 
Pi  ::  $;•  b  id#;  •<&;  • 

P  ::<!>; -bid  #,  M/x;  •  G  $,x  :  A;  • 

Pi  •  b  P"  G  F[id#,M/x] 
P2::$;-bEGF[id#,M/x] 

P3  ::  $;  •  b  D[E/y]  =  D'/tf ;  A 
P4  "  $  b  D'  ^  ip]  8 

P2  ::  $;•  b  id#;E/y  £  $;y  G  P [id#, M/x] 

P3  •  b  £>' G  tf;  A 

P4  ::  $;  •  b  id#,  ip]  8  G  $,  $;  A 

P  •  b  id#,  ip]  V/y,  8  G  3>,  VP;  y  G  P[id#,  M/x],  A 


,  M/x],A  by  assumption 

by  inversion  on  £ 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(l)  on  Di,£i 
by  inversion  on  Qi 
by  definition  of  P2 
by  definition  of  P2 
by  Lemma  6.22 
by  sass  on  Pi,£2 
by  Lemma  6.20(1)  on  V,T\,  Q2 
by  ih.(l)  on  P2,Pi 
by  definition  of  P3 
by  definition  of  P3 
by  smeta  on  Pi,P2 
by  Lemma  6.20(2)  on  Pi,P3,£3 
by  ih.(2)  on  P4,P3 
by  Lemma  6.37(2)  on  P4,P2 


Case:  P 


Pi 

$  b  P  -4  A  pL.  P' 


V2  P3 

<£  b  P'[id#,p'/p]  $  b  D[V/y]  ^ Ip]  8 


$  b  y  G  F[id#,  p'/p]  =  P  P,D  ^  ip]  V/y,  8 


ev_app 
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£  ::  $;•  h  y  G  Pfid^p'/p]  =  Pp,F>  G  S';  y  G  P[id4>,  p'/p],  A 
::  $;T  P  G  IIpL.F 
£2  ::  p,L  G  $ 

£3  "  [$J  I"  P'  =  P 

£4  "  $;y  G  Pfid^.p'/p]  h  D  G  T;  A 
Qi  h  ApL.P'  G  IIp7  F 
Q2  ::$,pL;-h  P' G  F 
Pi  ::$;.|-P'[id*,p'/p]=P" 

P2  ::  $  H  P"  M-  E 
Pi  ::  <f>;  •  b  id$, 

715  ::  $;  *  I-  idtj>,p7p;  •  G  <f>,pL;  • 

Pi  ::*;-bP"GF[id*,p7p] 

7&2::*;-b  VGP[id*,,t//p] 

^3::$;-bP[V/y]  =  P'/®;A 

P4  $  b  P7  <—>•  (5 

P2  •  b  id<i>;  V/y  G  $;y  G  F[id*:  p7/p] 

P3  ::  $;•  b  P7  G  ^;A 
Hi  ::  <E>;  •  b  id<j>,  V;;  5  G  A 
1Z  ::  $;  •  b  id<3>,^;  V/y,  (5  G  $,^;y  G  F[id<i>,  p'/p],  A 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.li.(l)  011  T>\ ,  £\ 
by  inversion  on  Q\ 
by  definition  of  P2 
by  definition  of  P2 
by  Lemma  6.22 
by  sblock  on  £2,£3,Pi 
by  Lemma  6.20(1)  on  V,T\,  Q2 
by  ih.(l)  on  P2,Pi 
by  definition  of  P3 
by  definition  of  P3 
by  smeta  on  7£2,  V\ 
by  Lemma  6.20(2)  on  P2 ,  T\\ ,  £4 
by  ill. (2)  on  T\ ,  P3 
by  Lemma  6.37(2)  on  7^4, 7£2 


<L,  pL  b  P  'ijr,  8 

Case:  7?  — - ev_new 

$  h  //  pL.  f)  s-  Ap.  V;;  A pL .  8 

£::$;•  b  i/pL.P  G  IIpL.(3';A) 

£1  ::$,pVbPG*;A 

T^i  ::  $,pV  b  id*,p/p.^;<5  G  $,pL,\&;  A 

7^2  •  b  id^>;  •$;  • 

Qi  u^-bid^V^'GS^A' 

Q2  ::  V/;^- ApL.(V;;5) 

Q3::^';A'  =  npL.(^;A) 


by  assumption 
by  inversion  on  5 
by  i.h.(2)  on  V\ ,  £\ 
by  Lemma  6.11  (2) 
by  Lemma  6.7(1)  on  1Z\,1Z2 
by  Lemma  6.7(1)  on  Pi,7£2 
by  Lemma  6.7(1)  on  7£i,7£2 


Pi  V2 

<i>b  P->  (Vi,V2)  $bD[Vi/x]<-> 

Case:  P  = - ev_fst 

$  b  X  =  7T]  P,  P  <—>  Vi/x,  (5 

£  .  b  x  =  7Ti  P,  P  G  $;xGFi,A 

£1  ::  <J>;  •  b  P  G  Fi  A  P2 
£2  ::  4>;x  G  Pi  b  P  G  A 
Qi  ::^;-b(Vi,V2)GFi  A  P2 
Q2  ::  $;  •  b  Vi  G  Pi 
Q3  ::  $;  *  b  id<j>;  *  :  <I>;  • 

Q\  ::  $;  *  b  id<j>;  V/x  :$;xGfi 
Pi  ::$;.bP[Vi/x]  =  P' 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(l)  on  V\ ,  £1 
by  inversion  on  Q\ 
by  Lemma  6.22 
by  smeta  on  Q3 
by  definition  of  P2 
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77-2  ::  •  b  D'  ip;  8  by  definition  of  P 2 

Pi  ::  •  b  D'  G  ’L;  A  by  Lemma  6.20(2)  on  Pi,  Q4,£2 

P2  •  b  id$,  ip;  8  £  $,  'L;  A  by  i.h.(2)  on  Pi,  P2 

P  ::  $;  •  b  id^.,  -0;  Fi/x,  8  G  <3>,  \I/;x  G  Fi,  A  by  Lemma  6.37(2)  on  £>2)  P2 


Pi  T>2 

(Fi,F2)  $  b  D[F2/x]  ip';  5' 

Case:  P  = - ev_snd 

$  hx  =  7r2  P,D^ip';V2/x,8' 

£  ::  <3>;  •  b  x  =  7r 2P,J)6f;x£  P2,  A 
£1  ::  •  b  P  €  £1  A  F2 

£2  ::  $;x  €  F2  b  D  e  A 
Qi  ::$;-b(Fi,F2)  bFi  AP2 
Q2  •  b  V2  €  F2 
Q3  •  b  id$;  •  :  <3>;  • 

Q4  ::  4>;  •  b  id<j>;  F/x  :  <fr;x  6  F2 
7^1  •  b  D[F2/x]  =  D' 

772  ::  •  b  D'  <->  ip;  5 

Vi  ::f;TP'6$;A 
P2  •  b  id*,  ip;  8  €  $,  <&;  A 
77  ::  $;  •  b  id  $,ip;V2/x,8  P2,  A 


Pi 

$  b  <5]  F 

3.  Case:  V  = - ev.yes 

$  b  (iP;  8)  ~  (O,  (^'  >  ip'  h*  P))  «->  F 

There  exists  a  ip"  s.t.  (1//;  kIa)  °  (^»w;  <5)  =  (i/>;  <5) 
Tv.  $;•  b^M  :  $;A 
£::$;Abfl,(ft>^h}P)GP 
£1  ::  'L';  [ip')  A  b  ip';  idA  :  $r;  A 
£2  ::  ty>']A  b  P  G  F[ip'] 

Qi  •  b  ip";  8  :  'J/';  [ip']A  by 

Vi  P[iP";8]e  F[iP'][iP") 

Pi  v.$;-\-  P[iP";8]eF[iP] 

P  ::  <I>;  •  b  F  6  F[ip] 


$b  (ip;8)~Q^>V 

Case:  V  = - ev_no 

$  b  (ip;  5)  ~  (fi,  (tf  >  ip'  P))  ^  V 

There  is  no  ip"  s.t.  (^'juIa)  0  {ip";  8)  =  {ip;  (5) 

T  ::<$>;-\~ip;5  :$;A 
£  ::  A  b  fi,  (tf  >  ip'  P)  €  F 


by  side  condition 
by  assumption 
by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
type  correctness  of  side  condition 
by  Lemma  6.20(1)  on  £2,  Q\ 
by  Definition  of  ip" 
by  i.h.(l)  on  Pi,  Pi 


by  assumption 
by  inversion  on  £ 
by  inversion  on  £ 
by  i.h.(l)  on  Pi, £1 
by  inversion  on  Q\ 
by  Lemma  6.22 
by  smeta  on  Q3 
by  definition  of  P2 
by  definition  of  P2 
by  Lemma  6.20(2)  on  Pi,  Q4,£2 
by  i.h.(2)  on  Pi,P2 
by  Lemma  6.37(2)  on  Q2,P2 
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by  assumption 
by  assumption 
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Si  ::  tfjAhfi  G  F 
Tl  ::  $;•  h  V  €  F [■*/>] 


by  inversion  on  £ 
by  i.h.(3)  on  £>i,  F,  E\ 


□ 
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Realizability 


Theorem  7.3  (Local  type  preservation  for  small-step  semantics) 

//  P  ::b  S'  G  F 
and  £  ::  S  =>  S' 
then  b  S'  G  F. 

Proof:  by  case  analysis  on  £ 

Case:  £  =  trlet  ::  C  >  let  D  in  P  =>  $;  C,  let  •  in  P  >  D 

by  assumption 
by  inversion  on  V 
by  inversion  on  P 
by  inversion  on  T> 2 
by  inversion  on  P 2 
by  tclet  on  Pi .  T-> 
by  tsdec  on  V,  T\ 


P::b  ($;  C  >  let  D  in  P)  G  F 
Pi  ::  <f>  b  C  €  Fi  =»  F 
P2  ::  •  b  let  P  in  P  G  Fi 

Pi 

^::§,$;AhPeFi 
P  $  b  C,let  •  in  P  G  (tf;  A)  =»  F 
Q  ::b  ($;  C,  let  •  inP>P)  6  F 


Case:  £  —  trletC  ::  <f>;  C,  let  •  in  P  t>  (ip;  <5) 

P  ::b  ($;  C,  let  •  in  P  >  (</>;  6))  G  F 
Pi  $  b  C,  let  •  in  P  G  (tf;  A)  =>  F 
P2  •  b  id $,</>;  <5  G  'll;  A 

Pi  ::  $  b  C  G  Pi  =>  F 
P2  ::  $,$;AbP€  Fj 

V  ::  •  b  P[id$,  if;  <5]  G  Fi  [id$ ,  ip] 

V  ::  $;•  bP[id*,^;^  G  Pi 
Q::b  (<&;  C  >  P[id<j>,  ||i;i])Gf 


^C>P[idihip;S] 

by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  Pi 
by  inversion  on  Pi 
by  Lemma  6.20(1)  on  P2,  P2 
since  $;-hP  formula 
by  tsprg  on  Pi,P 


Case:  £  =  trpair ::  C>  (Pi,P2)  =*>  $;C7,  (*,P2)  >  Pi 
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v-.-y  ($;C'>(P1,P2))  gp 
P i  ::  $  h  C  G  Pi  A  P2  =t-  P 
V2  (Pi,  P2)  G  Pi  A  P2 

Pi  ::  <E>;  •  h  Pi  G  P, 

P2  ::<£>;•  b  P2  G  P2 
P::$hC',(.,P2)eP1  =^P 
Q::h  ($;  C,  (•,  P2)  >  P] )  €  P 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  P2 
by  inversion  on  P2 
by  tcpair  on  V\ ,  P2 
by  tsprg  on  P,  Pi 


Case:  5  =  trpairC  ::  <I>;  (7,  (•,  P2)  >  V  =*>  $;C»(P.P2) 

P::h  ($;C,(*,P2)>P)GP 
Pi  $  h  C,  (•,  P2)  G  Pj  ^P 
P2  ::  $;  •  b  P  G  P, 

P]  ::  $  h  C  G  Pi  A  P2  =>•  P 
P2  ::  €>;  •  b  P2  G  P2 
P  ::  $;  •  b  (V,  P2)  e  P,  A  P2 
Q::b  ($;C»(P,P2))gP 


by  assumption 
by  inversion  on  V 
by  inversion  on  T> 
by  inversion  on  Pi 
by  inversion  on  Pi 
by  RA  on  P2,P2 
by  tsprg  on  Pi ,  P 


Case:  £  =  trmix  ::  C  >  (Pi ,  P2>  =4>  $;C.  (P,,*)  >  P2 

P::b  ($;C»(P,,P2))  GP 
Pi  ::  $  b  C  G  Pi  A  P2  =£>  P 
P2  ::  $;-b  (Pi,P2>  G  P  A  P2 
Pi  Vj  G  P, 

P2  •  b  P2  G  P2 
P  ::  $  b  C,  (P,*)  G  P2  P 
Q::b  ($;  C,  (Pj ,  •)  >  P2)  €  P 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  P2 
by  inversion  on  P2 
by  tcmix  on  Pi,P| 
by  tsprg  on  P,P2 


Case:  5  =  trmixC  (VJ,*)  >  P  =►  $;C>(Pi,P) 

P::b  ($;C,(Pi,*)>P)  €  P 
Pi  ::  $  b  C,(P i,*)  G  P2  =►  P 
P2  ::  $;•  h  P  G  P2 
Pi  $  b  C  G  Pi  A  P2  =>  P 
P2  ::  $;  •  b  Pi  G  Pi 
P::$;-b(Pi,P)GPi  A  P2 
Q::b  ($,  C  >  (Pi,  P))  G  P 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  Pi 
by  inversion  on  Pj 
by  R  V  on  P2 ,  P2 
by  tsprg  on  Pj ,  V 


Case:  £  —  trfst ::  <D;  C  >  x  G  Pi  =  7Ti  P,  D  =>  C,  x  G  Pi  =  7Tj  »,D  t>  P 


V  ::b  ($;  C  >  x  G  Pi  =  7Ti  P,  P)  G  P 
Pi  ::$hC€($;xePi,A)^P 
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P2  ::  •  L  x  G  F\  =  tti  P,  P  G  'L;  x  €  Pi ,  A 

Pi  ::  $;  •  b  P  €  Pi  A  P2 
P2  ::  $;  X  G  Fi  h  P  G  \I>;  A 
P  $  b  C,  (x  G  Pi  =  7Ti  •,  P)  G  Pi  A  P2  =>  F 
Q  ::b  ($;  C,  (x  G  Pi  =  tti  P)  >  P)  G  F 


by  inversion  on  P 
by  inversion  on  P2 
by  inversion  on  P 2 
by  tcfst  on  Pi ,  P2 
by  tsdec  on  P.  Pi 


Case:  £  =  trfstC  ::  <I>;  C,  x  G  Pi  =  7Ti  •,  P  >  (Pi,  P2) 


<?,  (•;  Pi/x,  •)  >  P[Pi/x] 


P  ::b  ($;C,x  G  Pi  =  tti  •, P t>  (Pi, P2))  G  F 
Pi  ::  <L  b  C,  x  G  Pi  =  7Ti  •,  P  G  Pi  A  P2  =>  F 
P2::$;-b(Pi,P2)  GPi  AF2 
Pi  ::$i-CG  (\1/;x  G  -Pi,  A)  =>  F 
P2  ::  <£>;  x  G  Ft  b  D  :  'I';  A 
01  ::  $;  •  b  Pi  G  F\ 

Vi  ::#hC',(.;P1/x,*)G(1';A)=>JF 
P2  ::  $;•  b  P[Pl/x]  :  $;A 
G  :P  (3;  <?,  (.;  Pi/x,  •)  >  D[Pi/x])  G  F 


by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  V\ 
by  inversion  on  Pj 
by  inversion  on  P2 
by  tcmeta  on  F\ .  Q\ 
by  Lemma  6.20  (2)  on  P2 
by  tsdec  on  Vi,V2 


Case:  £  =  trsnd  ::  <L;  C  >  x  G  P2  =  7r2  P,  D  =>■  $;C,x€  P2  =7 r2  •,  P  t>  P 


P  ::t-  ($;  C  >  x  G  P2  =  7t2  P,  D)  G  F 

V i  $  b  <7  G  ('L;  x  G  F2,  A )  =>  F 

P-2  •  b  x  G  P2  =  7r2  P,  P  G  'L;  x  G  P2,  A 

Pi  ::  $;  •  b  P  G  Pi  A  F2 

T2  ::  $;  x  G  P2  b  P  G  <1/;  A 

V  ::  $  b  C,  (x  G  P2  =  7T2  •,  P)  G  Pi  A  P2  =4>  P 

Q  ::l-  ($;  C,  (x  G  P2  =  tt2  •,  P)  >  P)  G  P 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  P2 
by  inversion  on  P2 
by  tcsnd  on  Pi,P2 
by  tsdec  on  P,  Pi 


Case:  £  =  trsndC  ::  $;  <7,  x  G  P2  =  7r2  •,  P  >  (Pi,  P2)  =»  $;  C,  (•;  P2/x,  •)  >  P[P2/x] 


P::b  ($;C,xGP2  =  7r2  •, P >  (Pi, P2))  G  P 
Pi  $  b  C,  x  G  P2  =  7t2  •,  P  G  Pi  A  P2  =»  P 
P2  b  (Pi,  P2)  G  Pj  A  P2 
Pi  $  b  C  G  (^;x  G  P2,  A)  =►  P 
P2  ::  <L;x  G  P2  b  P  :  \1>;  A 
£/l  ::  •  b  P2  G  P2 

Pi  $  b  C,  (•;  P2/x,  •)  G  ($;  A)  =»  P 
P2  ::  <3>;  •  b  P[P2/x]  :  'L;  A 
g  ::b  ($;  <7,  (•;  P2/x, .)  >  P[P2/x])  G  P 


by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  V\ 
by  inversion  on  V\ 
by  inversion  on  T>2 
by  tcmeta  on  T\,Q\ 
by  Lemma  6.20  (2)  on  JF2 
by  tsdec  on  V\,  V2 


Case:  £  =  trinx  ::  C  >  (Af,  P)  =>  $;  C,  (Af,  •)  >  P 
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P::h  (4>;(7>  (M,P))  G  P 
Pi  ::  $  h  C  G  3x  :  A.  Pi  =►  P 
P2  ::  $;  •  h  (M,  P)  G  3x  :  >4.  Pi 
Pi  ::[$](-  M  :  A 
P  h  P  eFi [id*,  M/a:] 
?::$h(7,  (M,  •)  G  Pi  [id*,  M/a;]  =»  P 
Q:-y  ($;C,  (M,.)>P)gP 


Case;  £  =  trinxC  ::  $;  C,  (M,  •)  >  V  =>  $;C>(M,V) 

P  ::h  (4>;  C,  (M,  •)  >  V)  G  P 

Pi  5>  h  C,  ( M ,  •)  G  Pi  [id*,  M/a;]  =»  P 

P2  ::  $;•  h  V  G  Pi  [id*,  M/x] 

Pi  ::  $  b  C  G  3.r  :  A.  Pi  =*  P 
P2  ::  [$]  \-  M  :  A 
P  ::  $;•  h  (M,  F)  G  3.7;  :  A  Pi 
Q::h  ($;  C  >  (M,  V))  G  P 


Case:  £  =  trsplit ::  <fr;  C  >  (x  :  A.y  G  Pi)  =  P,  D  =>  C,  {x  :  A, y 

P  ::h  ($;C>(rly  G  Pi)  —  P,D)  &  F 
Di::$KCg(.t:  Pi,  A)  =>  P 

P2  «x  :  A,  y  G  Pi )  =  P,  D)  G  a:  :  A  y  G  P, ,  A 

Pi  ::<!>;•  KP  G  3a; :  A.  F\ 

P2  ::  4>,  x  :  A  y  G  Pi  I-  P  G  A 
V  ::  4>  b  C,  ((.x  :  A,y  G  Pi)  =  »,P)  G  3x  :  A  P,  =»  P 
Q  ::h  ($;  C,  ((x  :  A  y  G  Pi)  =  •,  D)  >  P)  G  P 


Case:  £  =  trsplitC  ::  C,  (x  :  A, y  G  P)  =  •,  D  t>  (M.  V)  =► 

P[id*,  M/x;  V/y] 

P  "h  ($;  C,  (x  :  A  y  G  P)  =  •,  D  >  (M,  V))  G  P 

Pi  ::  $  h  <7,((x  :  Ay  €  Pi)  =  •,D)  G  3x  :  A  Pi  =*■  P 

P2  ::  $;  •  h  (M,  V)  G  3x  :  >4.  Pj 

P  ::  $  h  C  G  (x  :  A'i'jy  G  Pi,  A)  =»  P 

P2  ::  $,x  :  Ay  G  Pi  I-  D  G  \l>;  A 

Si  ::  [*]  h  M  :  A 

P[id*,M/x] 

Pi  ::  $  h  C,  (M/x,  •;  V/y,  •)  G  [id*,  M/x] (S';  A)  =►  P 
P2  P[id*,M/x;  V/y]  G  [id*,  M/x] (S';  A) 

h  (*;  C,  (M/x,  •;  V/y,  •)  >  D[id*,  M/x;  V/y])  G  P 


Case:  £  =  trsubst ::  S>;  C,  (M/x,  •;  V/y,  •)  >  (t/>;  <S)  ==>  $;C>(M/x, 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  P2 
by  inversion  on  P2 
by  tcinx  on  Pi, p 
by  tsprg  on  P,  P 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  P2 
by  inversion  on  P2 
by  R3  on  p ,  P2 
by  tsprg  on  Pi ,  P 

G  Pi)  =  *,P»P 

by  assumption 
by  inversion  on  D 
by  inversion  on  V 
by  inversion  on  V 2 
by  inversion  on  V2 
by  tcsplit  on  V\ ,  ^2 
by  tsprg  on 

(M/a;,.;  v/y,.)  > 

by  assumption 
by  inversion  on  7? 
by  inversion  011  £> 
by  inversion  on  V\ 
by  inversion  on  V\ 
by  inversion  on  V2 
by  inversion  on  V2 
by  tcsubst  on  T\ ,  Q\ ,  £2 
by  Lemma  6.20(2)  on  JF2 
by  tsdec  on  V\,V2 

V/y,  £) 
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V  ::h  (<£>;  C,  (M/x,  •;  V/y,  •)  >(iP;6))gF 
Vl  $hC,  (M/x,  •;  F/y,  •)  €  (*';  A')  =»  F 
P2::$;-t-id$,tMG$,1'';A' 

Fa  ::  tf'jA'  =  [id#,  M/x]^;  A) 

F2  ::  $  h  C  G  (x  :  A,  \l>;  y  €  Fl,  A)  F 
F3  ::[f]hMJ 
T4  h  L  G  Fi[id<j>,  M/x] 

V  ::  $;•  P  id^,  M/x,  ip-,  V/y,  6  G  $,x  :  A,  $;y  G  Fx,  A 
Q::h($;C>M/x,V>;F/y,^)eF 


by  assumption 
by  inversion  on  P 
by  inversion  on  T> 
by  inversion  on  'D\ 
by  inversion  on  V\ 
by  inversion  on  Pi 
by  inversion  on  V\ 
by  Lemma  6.37(1)  on  P2,F3,F4 
by  tssub  on  F2,  V 


Case:  £  —  trrec  ::  <L;  C  i>  /t/x  G  F.P  =>■  C 

P::h  ($;Ct>fj,xeFx.P)eF 
Vx  ::  $  b  C  G  Fi  =►  F 
P2  ::$;•! -pxG  Fi-  P  G  Fi 
Fl  ::  $;  x  G  Fx  h  F  G  Fi 
P  •  h  P[/ix  G  Fi.  F/x]  G  Fx 
Q::h  ($;C>F[/ixGFi.F/x])  GF 


P[/ix  G  F.  F/x] 

by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  Rctx 
by  Lemma  6.20(1)  on  Tx 
by  tsprg  on  Pi ,  P 


Case:  £  =  trempty  ::  <E>;  C  >  •  ==>  $;  C  t>  •;  • 

V  ::t-  ($;(?>•)  G  F 

Pi  ::  $l ~Ce  (•;•)  =>  F 
P2  h  •  G 

V  ::  3>;  •  h  id$;  •  :  <&;  • 

Q::h  (*;<?>•;•)  €•;• 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  Lemma  6.22 
by  tssub  on  Pi, F 


Case:  £  =  trApp  ::  $; Oy  G  Fi[id$, M/x]  =  P  M, D  ==>•  $;C,y  G  Fi[id$,M/x]  =  •  M,D>P 


V  ::h  ($;C>yG  Fi[id*,M/x]  =  P  M,D)eF 

Pi  ::  $  h  C  G  (tf;  y  G  Fi[id*,  M/x],  A)  =»  F 

P2  ::  $;  •  h  y  G  Fi[id$,M/x]  =  P  M,D  e  ty;y  e  Fx [id#,  M/x],  A 

Fi  ::  $;  •  h  F  G  Vx  :  A.  Fx 

F2  ::[$]FM:d 

F3  ::$;yG  Fi[id#  ,M/x]  h  D  G  VP;  A 
P  $  b  C,  (y  G  F^id*,  M/x]  =  •  M,D)  G  Vx  :  A.Fi  =►  F 
Q  ::h  ($;  C,  (y  G  Fi[id*,  M/x]  =  •  M,  P)  >  F)  G  F 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  inversion  on  P2 
by  inversion  on  P2 
by  inversion  on  P2 
by  tcApp  on  Pi,F2,F3 
by  tsprg  on  V,  Tx 


Case:  £  =  trAppC  ::  $;C,y  G  Fx  [id#,  M/x]  =  •  M,D  >  Ax  :  A.  P 

d>;  C,y  G  Fi[id$,M/x]  =  *,D  >  P[id$,M/x] 

P::h  ($;(7,y  G  Fi[id#,M/x]  =  •  M,D  >  Ax  :  A.  P)  gF 
Pi  $  h  C,  (y  G  Fi[id*,M/x]  =  •  M,  P)  G  Vx  :  A.  Fx  =»  F 
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P 2  ::  <I>;  •  b  Ax  :  A.  P  G  V.r  :  A.  F\ 

(®;  y  G  Fjid*,  M/a:],  A)  =>  F 
F2  ::[$\\-M:A 

F3  y  G  Fi  [id*,  M/x]  hDe$;A 
::  :  /!;■  h  P  €  F| 

S2  ::  $;  ■  b  P[id*,M/x]  G  Fjid*,  M/x] 

V  ::  $  b  C,  y  G  F\ [id*,  M/x]  =  •,  P  G  Fj  [id*,  M/x]  =►  F 
<2  ::b  (<E>;  C, y  G  Fj  [id*,  M/x]  =  •,  P  >  P[id*,  M/x])  G  F 


by  inversion  on  V 
by  inversion  on  Pi 
by  inversion  on  V\ 
by  inversion  on  V\ 
by  inversion  on  V 2 
by  Lemma  6.20(1)  on  Q\ 
by  tcassign  on  T\ ,  Fi 
by  tsprg  on  P,  <?2 


Case:  £  =  trapp  ::  $;C>xG  Fj  [id* ,  p'  /  p]  —  P  p' .  D 


<L;  C, x  €  Fj [id*, p'/p]  =  •  p',  P  >  P 


V  ::b  ($;C»x  G  Fi [id* , p'/p]  =  Pp',P)  G  F 

Vi  ::$\-Ce(9;x€Fi[id*,f//p],A)=>F 

V2  ::  $;-hxG  Fi  [id*,  p'/p]  =  P  p',D  G  $;x  G  Fx  [id*,  p'/p],  A 

Fi  KFen/.Fj 

F2  ::  p'L  G  $ 

F3  ::  [<I>J  b  p'  s=  p 

T\  ::<!>;  x  G  Fi[id*,  p'/p]  b  D  G  \l/;  A 
P  $  h  C,  (x  6  F,  [id*,  p'/p]  =  •  p',  P)  G  IIpP  Fj  =>  F 
Q  ::b  (*;  C,  (x  G  Fj  [kl*,  p'/p]  =  •  ft ,  P)  >  P)  G  F 


by  assumption 
by  inversion  on  2? 
by  inversion  on  V 
by  inversion  on  T>2 
by  inversion  on  V 2 
by  inversion  on  T> 2 
by  inversion  on  V2 
by  tcapp  on  V 

by  tsprg  on  V:  T\ 


Case:  £  =  trappC  ::  $;C,xG  Fi[id<p.  pf / p]  —  •  pf.  D  > 

<E>;  C,  (x  G  Fi  [id*,  p'/p]  =  •,  P)  >  P[id*,  p'/p] 


A  pL.P  =» 


V  ::b  ($;  C,  x  G  Fi  [id*,  p'/p]  =  •  p',  D  >  ApL.  P)  G  F 
Pi  ::  $  b  C,  x  G  Fi  [id*,  p'/p]  =  •  p',  P  G  UpL .  F,  =>  F 
P2  ::  $;•  H  A pL.P  G  IIpP  Fj 
Fi  ::  $  b  C  G  ($;  x  €  Fj  [id*,  p'/p],  A)  =►  F 
F2  ::[<!>]  bp  =  p' 

F3  ::  $;x£  Fi  [id*,  p'/p]  b  P  G  4/;  A 

01  ::$,pL;  b  P  €  Fj 

02  "  $;  •  b  P[id*,  p'/p]  G  Fi  [id*,  p'/p] 

P  $  b  C,  (x  G  F]  [id*,  p'/p]  =  •,  D)  G  F]  [id*,  p'/p]  =»  F 
Q  ($;<?,  (x  G  Fi  [id*,  p'/p]  =  •,  P)  >  P[id*,p'/p])  G  F 


by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  Pi 
by  inversion  on  Pi 
by  inversion  on  Pi 
by  inversion  on  P2 
by  Lemma  6.20(1)  on  Q\ 
by  tcassign  on  Fi,F3 
by  tsprg  on  P,  Q> 


Case:  £  =  trassign  ::  0;C,x£  Fi  =  •,  D  >  V 

V  ::b  ($;C7,x  G  Fx  =  *,P>  V)  G  F 
Pj  $  b  C,  (x  €  Fj  =  •,  D)  G  Fi  =>  F 
P2  ::  $;•  b  V  G  Fj 
Fi  ::$bCG(*;xGFi,A)=>F 
F2  "  $;x  G  Fi  b  D  :  4>;  A 
G  ::  $;■  b  P[F/x]  :  ®;A 


=*►  $;C,(.;y/x,.)>P[r/x] 

by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  V\ 
by  inversion  on  V 2 
by  Lemma  6.20(2)  on  T2 
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V  : 

$  P  C,  (•;  F/x,  •)  G  (9/;  A)  =>  F 

by  tcmeta  on  ^ ,  X>2 

Q 

P  ($;  <?,(.;  F/x,  .)>F[F/x])gF 

by  tsdec  on  V,  Q 

Case:  £ 

=  trmeta  ::  <E>;  C,  (•;  F/x,  •)  >  (■0;  <5)  ==r>  $;  C  t>  (ip;  F/x, 

V  : 

P  ($;£,(.;  F/x,  .)>(V>;S))GF 

by  assumption 

Vi 

::$P  C7,  (•;  V/x,  •)  G(tf;A)=>F 

by  inversion  on  V 

v2 

P  A 

by  inversion  on  V 

Tx 

::$PCg(¥;xGFi,A)=>F 

by  inversion  on  V\ 

•  P  F  G  Ft 

by  inversion  on  V\ 

V  : 

•  P  id$,  ip;  F/x,  5  G  $,  ’L;  x  G  Fi,  A 

by  Lemma  6.37(2)  on  X>2,  ^2 

Q 

h  ($;C  >(</>;  F/x,  £)  G  $;x6Fi,A)  gF 

by  tssub  on 

Ca.se:  £ 

=  trnew  ::  <E>;  C  >  pL.  D  =>■  $,  pL;  C,  (\pL.  (•;•))>  D 

V  :: 

P  ($;  C  t>  z/  pL.  D)  G  F 

by  assumption 

Vi 

::$hC6($;A)=>F 

by  inversion  on  V 

v2 

::  $;  •  P  1/  p^.  L>  G  S';  A 

by  inversion  on  V 

?x 

:  $,  pL;  •  P  D  G  A' 

by  inversion  on  X>2 

:  \P;  A  =  1^.  ($';£') 

by  inversion  on  P2 

V  : 

$,  pL  P  C,  (ApL.  (•;  •))  G  T';  A'  =►  F 

by  tcnew  on  V\ 

2: 

h  ($,pL;C,  (ApL.  (.;.))  >F)gF 

by  tsdec  on  P,  T\ 

Case:  £ 

=  tmewC  ::  $,pL;C,  (ApL.  (•;•))  =>  $;Ct>\pL. 

(<M) 

V  :: 

\-($,pL;C,(\pL.(*;*))»ip;6)eF 

by  assumption 

Vx 

::$,pthC,(Apt.  (•;•))  €  (*;A)^F 

by  inversion  on  V 

v2 

::  $,pL;-  P  id®,  p/ p,  ip;  8  :  <b,pL,^;  A 

by  inversion  on  V 

Ti 

by  inversion  on  V\ 

g. 

$  h  id$;  G$;- 

by  Lemma  6.22 

Si 

$;-Pid<j>,^';F  :  #,<P';A' 

by  Lemma  6.7(1) 

G2 

-(/>';  F  =  ApL.  (V>;$) 

by  Lemma  6.7(1) 

Gs 

^A' =  npi.(«';A) 

by  Lemma  6.7(1) 

Vx 

$  P  C  G  (S'';  A')  =>  F 

by  using  £3  on  V\ 

v2 

P  ($;C>^';F)  G  F 

by  tssub  on  T\,V\ 

Q 

P  ($;C>ApL.(V>;<5))  G  F 

by  using  Q2  on  V2 

Case:  £ 

=  trcase  ::  <I>;  C  >  case  (ip;  S)  of  Q  =>  <I>;  (7  >  (?/>;  £)  ~  0 

V  : 

1-  ($;  C  >  case  (ip;  8)  of  Q)  G  F 

by  assumption 

Vx 

::$hCGFM^F 

by  inversion  on  V 

v2 

::<!>;•  P  case  (V»;  £)  of  0  G  Fi  [?/>] 

by  inversion  on  V 
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by  inversion  on  X>2 
by  inversion  on  Z>2 
by  tscase  on  V 2 ,  £1 ,  £2 


£1  ::  $;•  \~ip;6  :  ¥;A 
£2  ::  A  b  fi  G  Fi 
Q::b  ($;C>(V>;<5)  ~  fi)  GF 


Case:  5  =  tryes  ::  $;  (7 1>  {ip-,  tf)  ~  (ft,  ($'  >  1//  ^  P))  =>  $;  C  >  P[y/';  fl] 


There  exists  a  ip"  s.t.  (y/;  Wa)  0  (VA  <$)  =  (V;; 

D  ($;  C  >  (0;  tf)  ~  fi,  (*'  >iJ/^P))eF 

Vx  ::  $  b  C  £  Fi[V>]  =>  F 

£>2  S  :  'J';  A 

X>3  "  A  b  fi,  ($'  >  ip'  ^  P)  e  Fi 

£1  ::  \I/';  [t//]A  h  ij/;  id^  :  A 

£2  ::  A  b  fi  G  F3 

£3  ::  1'';  [y/]A  b  P  G  F,  [y/] 

Fi  b  V/';<5  :  ^;[^]A 
F  ::  «>;-bF[V/';^]  eF,[V/][V/'] 

F  ::  <L>;  •  b  P[y>";  5]  €  F,  [y>] 

Q::b  ($;C>P[y>";<5])  €  F 


by  side  condition 
by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  011  £>3 
by  inversion  on  £>3 
by  inversion  on  £>3 
by  type  correctness  of  side  condition 
by  Lemma  6.20(1)  on  £3.  PF\ 
by  Definition  of  ip" 
by  tsprg  on  V\ ,  V 


Case:  £  =  trno  ::  $;  C  >  (y>;  S)  ~  (fi,  (#'  >  i/>'  h->  F))  =>  <f>;  C  t>  (y>;  5)  ~  fi 


Pub  ($;C>(y>;<5)  ~  fi.  (\t'/  >  ij>'  ■-»  P))  €  F 
Vi  ::  $  b  C  G  F  [y>]  =*•  F 
£>2  "  ’  b  ij>\  d  :  'L:  A 

P3  ::f;Ab  fi,  ($'  >  y/  ^  F)  G  Fi 
$;Ab  (y>;£)  ~  fi  G  F 
Q::b  ($;  C  >  (i/r.  <S)  ~  fi)  G  F 


by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  V 
by  inversion  on  V, 3 
by  tscase  on  V\,T>2,P 


□ 

Theorem  7.4  (Type  preservation  for  small-step  semantics ) 

IfVr.S  =^>  S' 
and  £  ::b  5  £  F 
t/ien  b  5'  G  F. 

Proof:  by  induction  on  £>: 

Case:  V  — - trid 

S  ^  S 

£  ::b  S  £  F  by  assumption 
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Vx  V2 

Si  =>  S2  S2  ==r*  S3 

Case:  V  = - trstep 

Si  S3 

by  assumption 
by  Lemma  7.3  on  £j ,  T>\ 
by  i.h.  on  £>2,62 


□ 

Theorem  7.9  (Termination)  We  consider  the  evaluation  of  a  function  of  type 
\fxi  :  A\.  ...  \!xn  :  An.  3yx  :  A\ .  ...  3 ym  :  A'm.  T  applied  to  arguments  M\ , . . . ,  Mn  in  a  pa¬ 
rameter  context  $.  The  termination  order  is  O  and  all  procedures  (used  as  lemmas)  terminate. 

1.  If  S  =  C  >  P  and  P  is  not  a  value 

then  S  §-Ct>V 

or  the  computation  terminates  prematurely. 

2.  IfS  =  $-,C>{ip]6)~n 

then  S  $;  C  >  V 

or  the  computation  terminates  prematurely. 

Proof:  by  induction  lexicographically  on  ‘order  (O,  Mx . . .  Mn)’  and  (P(2)  and  fl(3)). 

1.  Case:  P  =  let  D  in  P' 

D  —  v  pf1 ....  1/  Pg' q .  by  definition 

Yl  =  x[P'/x]  M[, 
y2  =  y0  Mg 

ym  =  yn  M'm, 

(^hym+l)  =  Ymi 
(xpiym+p)  =  Ym+p-l 

Case:  x  recursion  variable 

m  =  n 

order  ( O ,  M{  . . .  M'n)  <0  order  (O,  Mi  . . .  Mn ) 

P1  =  Azi  :  Ai-  ...  Aa;n  :  An.  P" 

C  >  let  D  in  P' 

C  >  P'^M^/x!, . . . ,  M'n/xn\ 

or  the  computation  terminates  prematurely 
Case:  x  lemma  variable 


by  inversion 
by  Condition  7.8 
by  n  inversion  steps 

by  n  applications  of  trApp 

by  i.h.  (2) 


£1  ::h  €  F 

£2  S2  £  P 
£3  ::K  S3  €  F 
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$;  C  t>  let  D  in  P' 

^  §;C>V 

or  the  computation  terminates  prematurely  by  assumption 


Case:  P=(PUP2) 

$;C>{PUP2) 

=*  $;C,(*,P2}>Pi 
$;C',(.,P2)>V1 
=>  *;C>(VUP2) 

=>  $;C,(F!,.)>P2 
=^>  $;C, (Vi,«> t>  V"2 
=>  *-,C>(V1,V2) 

or  the  computation  terminates  prematurely 

Case:  P=(VUP2 ) 

$;Ct>(VuP2) 

=»  $;C,(VU*)»P2 
0;C',(V1,.)>l/2 
=*■  ^;C,>(y1,F2) 

or  the  computation  terminates  prematurely 
Case:  P  =  ( M ,  P) 

P) 

==>  $;C,(M,#)>P 
=^>  C,  (AT,  •>  >  K 
=>  «>;C>(M,F) 

or  the  computation  terminates  prematurely 

Case:  P  =  fj,x  €  F.  P' 

$;  C  >  //x  €  P.  P' 

=»  C  >  P[/tx  e  P.  P'/x] 

or  the  computation  terminates  prematurely 
Case:  P  =  case  (if>;  <5)  of  Q 

<h;  C  t>  case  (ip;  6)  of  0 
=>  $;  C  >  (</>;  tf)  ~ 

=^> 

or  the  computation  terminates  prematurely 


by  trpair 
by  i.h.(l) 
by  trpairC 
by  trmix 
by  i.h.(l) 
by  trmixC 


by  trmix 
by  i.h.(l) 
by  trmixC 


by  trinx 
by  i.li.(l) 
by  trinxC 


by  trrec 
by  i.h.(l) 


by  trcase 
by  i-h.  (2) 


2.  Case:  fi,  ('J/'  t>  ip'  P))  and  there  exists  a  ip"  s.t.  (ip';  id^)  o  (ij)";  <5)  =  (ip;  £) 

C  >  (ip;  6)  ~  (fi,  (*'  >  ip /  ^  P)) 

==>  <I>;  C  i>  P [(//';  <5]  by  tryes 

$;Ct>K  by  i.li.(l) 

or  the  computation  terminates  prematurely 
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by  trno 
by  i.h.(2) 

□ 

Lemma  7.18  (Liveness  of  constant  covers) 

If  T>  ::  i',x:  Ltr^.  Bx;  ^2  cover 

and  $  =  ’Ll,®  :  TLTX.BX,^2 

and  <L  b  raise  (r*,  Iirc.  Bc )  =  (Lc  >  nrx.  B'c) 

and  T  ::  <L;  •  b  ip;  6  G  \P,  \bc;  A 

and  E(c)  =  Iirc.  Bc 

and  if  G  unify  (nrx.  Bx  a  nr*.  B'c ,  x  w  Arx.  c  (*lc  r*)) 

then  there  exists  a  (Lo  >  i’o)  G  ui  and  a  ipi 

s.t.  $  I-  ipx  G  Lo 

and  L0  b  V’o  G  9/ 

and  $  b  0  fAi  =  V’l'P  €  L 

Proof:  by  induction  on  V : 

Case:  I>  = - ccempty 

’Pi ;  37  :  nrx.f?x;  f  2  I"  ■  >  •  cover 

Impossible  case  -(c)  is  undefined  by  Q 


Case:  ft,  (L'  >  if'  h4  P))  and  there  is  no  if"  s.t.  (ip1-,  Ha)  o  (ip";  J)  =  (ip;  S) 

$;C>(iP;6)~(n,(<H'»ip'  h4  P)) 

=►  (-0;  ~  9, 

=^>  <L;Ct>P 

or  the  computation  terminates  prematurely 


Vi 

’Ll;  x  :  BTX.BX;  H  S  >  w  cover 

Case:  V  = - — - ccunify 

’Ll;  a:  :  Iirx.  Bx;  L2  b  S,  d  :  nr^.  Bj  »  u,  (L'  >  ipm\q)  cover 

Case:  c  ^  d 

there  exists  a  (Lo  >  i’o)  G  ca  and  a  ^>1,  s.t. 

<L  h  ipi  G  L0 
L0  b  V’o  G  L 

$  I-  ?/>o  °  V’l  =  i’l'b  G  $  by  i.h.  on  £>1 

(’Lo  >  ipo)  G  c a,  (L'  >  ipm !<]/)  trivial 


Case:  c  =  d 


v'\-tpm  =  mgu  (nr*. bx  «  nrx. s', a? «  apx. c  (lc  r*))  e  l,  l c 

there  exists  ip\,  st.  $  b  ipm  o  ipi  =  ip  g  L,  Lc 


Pi  ::  $  b  ipi  G  L' 

P2  ::  ’L'  b  ipm  G  L,  Lc 
P3  "  b  V’ml'K  G  L 
(’L'^V’mk)  Gw,(f'>^m|$) 
$  I-  V’mb  0  Ipi  =  V’k  G  L 


by  side  condition 
ipm  is  mgu 


by  well-typedness  of  o  ^ 

by  well-typedness  of  o  ^ 

by  Lemma  7.14 
trivial 
by  Lemma  7.15 
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T>i 

S>i ;  x  :  nrx.  Bx ;  S/2  b  E  w  cover 


Case:  V  = 

S']; x  :  nrx.  Bx ;  $2  b  S,  c  :  Iirc.  Bc^>  uj  cover 


ccskip 


Case:  c  ^  d 

there  exists  a  (S'o  >  V;o)  £  u;  and  a  Vh?  s.t. 
S'  b  V>i  €  S'o 
S'o  h  V’o  G  S' 

S>  b  V-'o 0  Vfi  =  V’k  £  S' 


Case:  c  =  d 

nrr.  Bx  «  nrx.  d?',x  «  Arx.  (c  (S/c  rT))  do  not  unify 
nrr.  Bx  rs  nrx.  B'c:x  rs  Arx.  (c  (S'(,  rx))  unifies 
Impossible  case 


Lemma  7.19  (Liveness  of  local  parameter  covers) 

If  V  ::  S/i;  x  :  MV  Bx;  S/2  b  T  »  uj  cover 
and  S'  =  S>i ,  x  :  Mx.  Bx,  S'2 
and  S'  b  raise  (rx,  Mp.  Bp )  =  (S',,  >  Mx.  B'p) 
and  T  ::  S';  •  b  tp;  6  £  S',  S',,;  A 

and  r(p)  =  nrp.  Bp 

and  £  unify  (Mx.  Bx  rs  MV  B'p,  x  ~  Arx.p  (S',,  rx)) 

then  there  exists  a  (S'o  0  V'o)  £  w  and  a  ?/;i 

s.t.  $  h  i/h  €  S>0 

and  S'o  b  ipo  €  S' 

and  S>  b  V'o  0  ^1  =  V’k  £  S' 

Proof:  by  induction  on  D: 

Case:  X>  = - ccempty 

S'  1 ;  a:  :  nrx.  5X;  $2  h  ■  >  •  cover 


Impossible  case 


Vx 


S' i;x  :  Iirx.  Bx ;  S'2  b  T  u  cover 

Case:  V  = - 

S/i;x  :  lirx.  Bx\  S'2  b  T,  d  :  IHV  Bj  »  u,  (S''  >  V'mk)  cover 


Case:  c^d 


by  i.h.  on  T>\ 


by  assumption 
by  assumption 


□ 


•(p)  is  undefined  by  Q 


ccunify 
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there  exists  a  (\I>o  t>  V’ 0)  €  w  and  a  V’l,  s.t. 

$0  l-  V>o  g  $ 

$  h  V’o  °  V’l  =  V’k  G  'll  by  i.h.  on  T>\ 

(^o  >  V’o)  G  >  V’ml'l')  trivial 


Case:  p  =  d 

y  b  i’m  =  mgu  (nr*.  bx  w  nrx.  5',  x ; 

there  exists  V’l,  st.  $  b  ipm  o  i/jj  g  \h,  4^ 
Pi  ::  $  I-  V’l  €  'L' 

P2  "  €  ®,tfp 

P3  -  ^''bV’rnk  €  T 
(*'>^mk)  GW,(5''>V’mk) 

$  b  V’rok  0  V’l  =  V’k  e  ^ 


APX.  c  (4/p  rx))  G  T,  Tp  by  side  condition 

V’m  is  mgu 
by  well-typedness  of  ipm  o  ip± 
by  well-typedness  of  if>m  o  V»i 
by  Lemma  7.14 
trivial 
by  Lemma  7.15 


Case:  V  = 


T>i 

®1;*:nrx.Ba.;*2i-r  »  uj  cover 
^i;x  :  fflV  i?x;  ^2  I”  :  nrp.  Bv^>  uo  cover 


ccskip 


Case:  p  ^  d 

there  exists  a  (\I>o  o  0O)  £  a;  and  a  0 i,  s.t. 

$  h  0i  € 

^0  00  € 

$  b  0q  °  01  =  0k  £  ^  by  i.h.  on  Pi 


Case:  p  =  d 

nrv  «  nrx.  x  «  AIV  (p  (^p  rx))  do  not  unify  by  assumption 

Iir X-Bx  ~  ~  AIV  (p  (\I/p  r^))  unifies  by  assumption 

Impossible  case 


□ 


Lemma  7.20  (Liveness  of  global  parameter  covers) 

IfV::  ®i;ar:Iirx.Bx;®2;\&3h  p^>  uj  cover 

and  T  =  ’Ll,#  :  nPx.  Bx,  4>2 

and  I-  raise  (rx,  Iiry.  By)  =  (<by  >  IiTx.B'y) 

and  T  ::  4>  b  ip  G  T,  ^3, 

and  p(y)  =  OT^.  i?p 

and  %p  G  unify  (Iirx.  JBX  «  Iirx.  5^,  a:  «  Arx.p  rx)) 
t/ien  there  exists  a  (^0  >  V’o)  G  a;  and  a  V’l 
s.t.  4>  h  V’l  G  ^0 
and  4>o  b  V’o  G  4/ 

and  $  h  V’o  0  V’l  =  V’l'P  G  5* 
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Proof:  by  induction  on  P: 

Case:  V  — - ccempty 

'3/ 1 ;  .t  :  nrx.  Br;  b2: ^3  b  •  >  •  cover 


Impossible  case 


Pi 

;  x  :  nr,..  Bx:  b2;  ^3  b  p  >-  u  cover 

C&sg'  2^  — _ 

*  1;  *  :  nr,..  Bx ;  b2:  b3  b  P,  &  :  nrrf.  Bd  »  u,  (b'  >  i/>m 

Case:  y  ^  d 

there  exists  a  ($0  >  V;o)  €  u;  and  a  s.t. 

$  b  0j  €  #0 

*0  b  V;o  € 

b  0q  o  0]_  =  -0|^  £  5' 

(*0>^o)  G  w,  (b7  >  V’ml'p) 

Case:  y  =  d 

b7  h  ij>,n  =  mgu  (nr,..  bx  ~  nr,.,  s' ,  #  ~  Ar,:.  c  ( '•p y  ra 

there  exists  i/;i .  st.  $  h  ipin  o  if)X  =  7/;  €  b,  'I' 3.  by 
Pi  ::  b  b  G  b7 
Pi  ::  b7  h  ipm  e  b,  vb 3 .  by 
P3  ::  b7  b  V’ml'P  €  b 

$  b  V’mk  0  Vh  =  V;k  G  b 


Vi 

b  1 ;  x  :  nrT.  Bx\  b2  h  /)  >  w  cover 

Case:  P  = - ccskip 

'bi;.7:  :  II  r,.. Bx;  b2  b  P,d  '■  nr d-Bd  »  uj  cover 

Case:  y  7^  d 

there  exists  a  ('bo  >  V;o)  G  w  and  a  Vh)  s.t.. 

$  b  1/)]  e  $0 
'bo  b  v>o  g  b 
b  I-  t/>o  0  Vh  =  V-’k  £  vb 

Case:  y  =  d 

nrT.  Bx  «  nrx.  Py,  a;  «  Arx.  (y  (by  rx))  do  not  unify 
nrx.P,:  «  nrx.Py,a:  «  Arx.(y  ('by  r,:))  unifies 
Impossible  case 


■(y)  is  undefined  by  Q 


- ccunify 

3/ )  cover 


by  i.h.  on  V\ 
trivial 


,.))  €  b,  'bs,  bv  by  side  cond. 

ipm  is  mgu 
by  well-typedness  of  pyn  o  i/>x 
by  well-typedness  of  p)m  o  ip\ 
by  Lemma  7.14 
trivial 
by  Lemma  7.15 


by  i.h.  on  Pi 


by  assumption 
by  assumption 
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□ 


Lemma  7.20  (Liveness  of  schematic  coverage) 

IfV  ::  :  I irx.Bx;®2 

and  ^  =  ^i,x  :  nrx.13x,  ^ 

J  and  T  ::  $  P  ip  G  ’L 

and  ip(x)  =  Arx.p  M\..Mn 

and  pL  G  $ 

and  p(g)  =  TIT g.Bg 

and  Q  ::  S(L)  =  SOME  C\.  BLOCK  C2 
then  there  exists  a  (\Lo  >  ipo)  €  a;  and  a 
s.t.  $  P  tpi  G  ^>0 
and  ^0  I-  ^0  €  \L 

and  $  P  i/>0;  °V’l  =  V’  £  ’L 

Proof:  by  induction  on  X> 

Case:  Z>  = - scempty 

’Ll;®  :  lirx.  Bx ;  \J/2  P  •  •  cover 

Impossible  case  -(L)  is  undefined  by  Q 


T>  1  ::  ®i;x  :  nr*.#*;^  P  5  cji  cover 
X>2  "  $3  I-  o  G  Ci 

P3  ::  ’Ll, a;  :  nr*.  B*,  $2,  $3  P  P  =  [<r]C2 

V4  ::  Ti;x  :  Iirx..Bx;  tl^;  'L3,pI/  P  p  »  w2  cover 

Case:  V  = - — — - scnext 

*i;x  :  nrx.  Bx,  ^2  P  (SOME  Cl.  BLOCK  C2)L'  »  «i,W2  cover 

Case:  L  =  V 


*  p  raise  (r*,  nrs.  b9)  =  (*g  >  nrx.  B'g) 

’Lg  =  21  :  Ai, zn  :  An 

Q\  ::  T,  <FS  P  Arx.  g  (<Lfl  r*)  €  nrx.  B'g 

£1  ::  $  P  cr  =  ip,  Ar*.  Mi/zi,...XTx.  Mn/zn  G  'L, 

Vi  ::  $  P  Ar*.ff  (tf*  r*)[a]  =  A[a]rx.<?  Mi„.Mn 
$  P  Arx.<?  (tfs  r*)[a]  =  X[^]rx.g  Mi...M„ 
$patx.<7(^  r*)[a]  Gnrx.i?;[a] 

$  p  Arx.g  (t9  rx)[cr]  g  nrx.Bx[cr] 

P2  ”  ^  P  nrx.  B'g[cr]  =  nr*.  £*[<r] 

a  g  unify  (x  «  Arx.p  (^  r*),nr*..Bx  si  nr*.  5') 

there  exists  a  (\I/o  >  V’o)  €  w2  and  a  ^1,  s.t. 

$  P  ipi  G  ^0 
^0  P  V’O  €  ® 

<LP^o0’/,i=V’£'L 
(^0  >  V’o)  £Wl,W2 


by  definition 
by  definition 
by  Lemma  7.11 
by  Def.  Substitution 
by  Lemma  6.7(1) 
Tx  does  not  depend  on  P,, 
by  LF  substitution  lemma  on  Q\ 
by  Definition  of  substitution 
by  Lemma  2.7 
by  Definition  7.10  on  V\ ,'P2 


by  Lemma  7.20 
trivial 
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Case:  L^V 

•  :  there  exists  a  (To  >  0o)  £  and  a  0j ,  s.t. 

T  b  0i  G  T0 
T0  I”  0o  €  T 

T  b  0O;  °0i  =  0  £  T  by  i.h.  on  Pi 

(T0  ^  0o)  G  cji,o;2  trivial 


n 


Lemma  7.22  (Liveness  of  single  coverage) 

If  V  ::  T  b  a;  cower 
and  £  ::  T  b  if  G  T 

then  there  exists  a  (To  >  0o)  £  ^  a  V;i 

S.L  $  h  G  To 

and  T0  b  0o  6  T 

and  4?  b  0o  0  01  =  0  £  T 

Proof:  by  case  analysis  of  P: 

P2  Ti;j;  :  Iirr.  Br;  T2  b  rT  »  i0|  cover 
Pi  P.3  ::  Ti;.r  :  nrr.  Bx:  T2  cover 

T  =  Ti,  .t  :  nrT.  Bx ,  #2  P4  ::  Ti;  ,r  :  nrr.  P7:;  T2  b  5  »  003  cover 

V  = - single 

cover 

Let  'if(x)  =  A[0]rx.  /i  by  Theorem  2.6  and  V\ 


Case:  h  =  c 


s(c)  -  nrf,pc 

T  b  raise  (Tx,  nrc.  Bc)  =  (Tr  >  nrx.  B[) 

Tc  —  ^1  :  ...,£n  •  An 

Qi  ::T,*cbAr *.c(Tr  Tx)eUTx.Bfc 

S\  ::  T  I-  cr  =  0,  \TX.  M\/z\ ,  ...ATr.  Mn/zn  G  T,Tr 

Pi  ::  $  b  ATx.c  (Tc  rx)[a]  —  A[a]TT.c 

$  b  Arx.c  (Tc  Tx)[(t]  -  A[0]rx.c  M]...M77 

T  b  ATr.c  (Tc  Tx)[a]  G  nrT.p'[a] 

$  b  Arx.c  (tc  rr)[cr]  g  nrT.pT[a] 

P2  ::  $  b  nrx.  B'[a]  =  UTX .  Px[a] 

a  G  unify  (x  ^  AFr.  c  (Tr  Fx),  firx.  Px  «  Iirx.  P' ) 
there  exists  a  (To  >  0o)  £  2  and  a  -01,  s.t. 

T  b  0i  G  T0 
T0  b  0o  G  T 
T  b  0o  o  0i  =  0  G  T 
(T0  >0o)  G  ^i,a^,o;3 


well-typedness  of  0 
by  definition 
by  definition 
by  Lemma  7.11 
by  Def.  substitution 
by  Lemma  6.7(1) 
rx  does  not  depend  011  Tr 
by  LF  substitution  lemma  on  Q\ 
by  Definition  of  substitution 
by  Lemma  2.7 
by  Definition  7.10  on  V\ ,  P2 


by  Lemma  7.18 
trivial 
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Case:  h  =  p 


^(p)  —  IIPp.  Bp 

T  b  raise  (Tx,  nrp.  Bp)  =  (Tp  i>  nrx.  Bp ) 

—  Z\  :  Ai, ...,  zn  :  An 

gl ::  t,tp  b  \rx.p  (%  rx)  e  nr x.b'p 

£1  ::  T  b  a  =  i>,\Tx.  M1/ zu  Mnf zn  £  T,TP 

XT x.p  (typ  Tx)[a ]  =  A[a]rx.p  Mx...Mn 
$  b  \rx.p  (Tp  Tx)[a]  =  \[$\Yx.p 

<&bAr x.p(9p  rx)[a]enrx.B'p[a] 

$  b  Arx.p  (%  r x)[a]  e  nrx.  Bx[a] 

V2::^\-nrx,Bfp[a]=Urx,Bx[a] 

a  £  unify  (x  «  \rx.p  (®p  rx),nrx.Bx  «  nr*.  5^) 

there  exists  a  (To  >  ^o)  6  <^i  and  a  ^1?  s.t. 

$bt/)iE$0 

T  b  °  —  *0  G  T 

(To  >  ^o)  £  ^1?  ^2,  ^3 


welbtypedness  of  ip 
by  definition 
by  definition 
by  Lemma  7.11 
by  Def.  substitution 
by  Lemma  6.7(1) 
Tx  does  not  depend  on  Tp 
by  LF  substitution  lemma  on  Q\ 
by  Definition  of  substitution 
by  Lemma  2.7 
by  Definition  7.10  on  Vi^V‘2 


by  Lemma  7.19 
trivial 


Case:  h  =  g 
pL  G  # 

pis)  =  nrs.  Bg 

there  exists  a  (>i>o  >  V’o)  G  w2  and  a  ip i,  s.t. 
$  h  Vi  € 

$0  h  V’O  €  \b 

$  h  -0o  °  Vh  =  V’  €  'i' 

€  a>i,  w2,w3 


g  is  a  global  parameter 


by  Lemma  7.21 
trivial 


Lemma  7.23  (Liveness  of  multi  coverage) 

//D::$hw  cover* 
and  $  b  ip  E  ^ 

then  there  exists  a  (\I>o  >  V’o)  Gw  and  a  ip\ 

s.t.  $  h  rpi  G 

and  b  V’o  G  ^ 

and  $  h  ?/>o  °  =  V*  £  'h 


Proof:  by  induction  on  V 


^  f  hw  cover  .  . 

Case:  V  — - multiempty 

f  hw  cover* 


□ 


there  exists  a  (^o  >  V’o)  €  w  and  a  V’l,  s.t. 
f  i-  Vi-  e  'J'o 
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^0  b  G  $ 
^h^o0^!—  ^  G  \I/ 


by  Lemma  7.22 


©i  v2 

^  I-  u)\,  (\I//  t>  V;0» ^2  cover*  $'  h  u;'  cover 

Case:  V  = - multicons 

VP  h  u?i ,  V;/  °  <*A  ^2  cover* 

there  exists  a  (^o  >  V;o)  G  t*>u  >  t/;0?  ^2  and  a  V-M ,  s.t. 

Pi  ::  $  b  Vh  € 

V2  '•  1“  V;o  G 

P3  ::  $  h  'ipo  o  =  'ip  E  $ 


by  i.h.  on  Z>i 


Case:  (\I>o  >  V^o)  =  >  V;0 

then  there  exists  a  ($2  >  V;i)  G  <*/  and  a  V;3  s.t. 

Qi  ::  $  b  V>5  G  $2 

Q2  "  *2  I-  V>2  G  *0 

Q3  ::  $  b  V;2  0  V;3  =  V;1  G  ^0 

Pi  ::  ^2  b  ^0  0  V;2  G 

(^2  >  V;o  0  ^2)  G  V;0  0  a;/ 

(^2  >  V;o  0  V;2)  Gwj,  V;/  0  <*A ^2 


by  Lemma  7.22  on  V\ ,  P2 
by  Lemma  5.2  on  Q2,V2 
by  Definition  7.3.2 
trivial 


P2  ::  $  b  (V;o  0  V;2)  0  V;3  =  V;o  0  V;i  ==  V;  G  \&  by  Def.  substitution  on  Qi ,  Pj ,  Q3,  P3 


Case:  (\I>o  t>  ^0)  7^  >  i>r) 

(^Wo)  G  o>i ,  u;2 

($0  >  V;o)  G  o;i,V;/  0  ^A  k>2 


trivial 

trivial 


Lemma  7,24  (Liveness) 

//!?::  ®  b  o>  cover* 
and  £  ::  <E>;  •  b  V>;  <$  G  \I>;  A 

then  there  exists  a  ('Po  >  V-'o)  €  w.  and  a  tpi,  s.t.  3>;  •  b  ipi;  6  G  'I'o;  [V;o]A 

and  $0;  [^o]A  b  V>o!  G  \P;  A 

and  •  b  (V'o!  *^a)  0  (Vh;  <^)  =  (Vb  £)  €  'P;  A 

Proof: 


£1  $  b  if>  eV 

there  exists  a  (vto  >  V’o)  G  and  a  ipi,  s.t. 
$  b  ipi  G  ^0 

$0  I-  V’o  €  $ 

$  b  ipo  o  ij)i  =  ij)  €  \]> 


by  Lemma  7.17  on  £ 


by  Lemma  7.23  on  V,£\ 
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$;•  \-^v,Se  $0;WA 

^o;  [V’ojA  h-  ipo;  idA  G  A 

3>;  •  h  (^o;  Wa)  0  (V’li  =  ('fi'i <5)  G  'L;  A  by  Lemma  7.16 

J  □ 


Lemma  7.25  (Progress  for  case) 

If  s  =  $;  c  >  it,  6)  ~  ft 

and  there  exists  a  ((\l>o  t>  i/»o)  P)  G  ft,  and  a  tpi 

s.t.  ^o;  [V’ojA 

and  ^0;  [^o]A  h  ^o;  id&  G  'L;  A 

and  $;•  h  (V'o;  *^a)  0  (f/>i;d)  =  (^;i5)Gf;A 

then  there  exists  an  S' 

and  S  ==>  S'1 

and  5'  is  not  a  match  state 

Proof:  by  induction  over  ft 

Case:  ft  =  • 

Impossible  case  (($0  >  V’o)  ^  P)  G  •  undefined 


Case:  ft  =  ft',  ((${,  >  $,)  P') 

Case:  (($0  >  V’o)  ^  P)  =  ((*{,  >  $,)  ->  P') 

5  =>  <f>;  C  >  P[ipi',  d]  by  tryes 

S  ==»  C  >  P[V>i;  d]  by  trid 


Case:  ((tf0  >  o)  P)  ¥>  ((*o  >  V’o)  ->  P') 

Pi  ::  5  =>  $;C>(V’;d)  ~  ft' 

P2  ::  $;C>(V>;d)  ~  ft'  =^>  S' 

S'  is  not  a  match  state 
S  =A>  5' 


by  trno 
by  i.h.  on  ft' 
by  i.h.  on  ft' 
by  trstep  on  T>i,  X>2 


□ 


Theorem  7.26  (Progress) 

If  S  is  a  state,  but  not  a  match  state 
and  S  ^  •  >  V 

and  V  ::H  S  €  F 

then  there  exists  an  S'  and  an  S"  which  is  not  a  match  state 
and  S  =►  S'  =^>  S" 
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Proof:  by  case  analysis  of  S 
Case:  S  = 


Case:  P  is  not  a  value:  P  ^  V 


P  =  ( M,P):  trinx  is  applicable 
P  =  let  D  in  P:  trlet  is  applicable 
P  =  px  £  F.  P:  trrec  is  applicable 
P  =  {Pi,  Pi)',  trpair  is  applicable 
P  —  {V\ ,  Pi)',  trmix  is  applicable 
P  =  case  <5)  of  f h 


V\  •  b  case  (ip-,  6)  £  F] 

Ex  ::  <f>;  •  b  i/>;5  €  A 
£2  ::  A  b  Q  €  F] 

£3  ::  b  strip  (Q)  cover*  by 

there  exists  a  (\tfo  >  V-’o)  £  strip  (0),  and  a  ^1,  s.t. 
$;•  b  £  $0;  [V-’o] A 
S'o;  hMA  b  V>o;  idi  G  4’;  A 

•  b  (V>o;  id  a)  O  (V’l ;  S)  =  {ip-,  <5)  £  A 

((^o>^o)  P)  £  fi 
Vx  ::  S  =>  S' 

V2  ::  5'  =£»  5" 

5"  is  not  a  match  state 
5  =^>  S'" 


by  inversion  on  V 
by  inversion  on  T>\ 
by  inversion  on  Vx 
formal  side  condition  of  V\ 


by  Lemma  7.24 
by  Definition  7.13 
by  trcase 
by  Lemma  7.25 
by  Lemma  7.25 
by  trstep  on  V\ ,  V2 


Case:  P  is  a  value:  P  =  V;  case  analysis  of  C 
C  =  C\  (•,P).  trpairC  is  applicable 
C  =  C',  (V,  •):  trmixC  is  applicable 
C  =  C',  (M,  •):  trinxC  is  applicable 
C  =  C',  (x  £  F  =  7Ti  •,  D ):  trfstC  is  applicable 
C  =  C",  (x  £  F  =  7r2  •,  Z>):  trsndC  is  applicable 
C  =  C",  ((.t  :  A,y  £  F)  =  •,  £>):  trsplitC  is  applicable 
C  =  C",  (x  £  F  =  •  M,  F):  trAppC  is  applicable 
C  =  C",  (x€F  =  *p,D):  trappC  is  applicable 
C  =  C',  (x  £  F  =  •,  F):  trassign  is  applicable 
all  other  continuations  impossible  due  to  typing 

Case:  5  =  $;C7>F 

F  =  •:  trempty  is  applicable 
D  =  (x  :  A,y  £  F)  =  P,D:  trsplit  is  applicable 
D  =  x  £  F  =  F  M,  D:  trApp  is  applicable 
D  =  x  £  F  =  P  p,D:  trapp  is  applicable 
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D  =  v  pL .  D:  trnew  is  applicable 
.  D'=  x  G  F  =  7Ti  P,  D:  trfst  is  applicable 
D  =  x  G  F  =  7T2  P,  D:  trsnd  is  applicable 

Case:  S  =  C  >  ip-,  8:  Case  analysis  over  C 

C  =  C',  let  •  in  P:  trletC  is  applicable 
C  =  C',  (•;  V/x.,  •):  trmeta  is  applicable 
C  =  C',  (A pL.  (•;  •)):  trnewC  is  applicable 
C  =  C' ,  (M/x,  •;  V/y,  •):  trsubst  is  applicable 
all  other  continuations  impossible  due  to  typing 

□ 

Theorem  7.27  (Realizability) 

If  $;  •  h  P  G  F 
then  there  exists  a  V 
s.t.  $;•  h  V  G  F 
and$;*t>P  ==> 

Proof:  direct. 

V  ::  $  *t>  P  ==>  5'  by  Theorem  7.9 


Case:  5'  =  <h*>F 


Si  ::  $  h  *  G  F  =4>  F 

by  tcdone 

S2  ::h  ($*>P)  G  F 

by  tsprg  on  £x 

Sz  ::h  ($*>P)  G  F 

by  Lemma  7.4  on  £2 

£  V  E  F 

by  inversion  on  £3 

Case:  5"  ^  $  *  >  V  and  computation  ends  in  S'.  Case  is  impossible  because:  S'  =>  S"  by 
Theorem  7.26  and  therefore  S'  canot  be  the  state  the  computation  ended  in. 

□ 

Theorem  7.28  (Soundness  of 

1.  IfVvFQeG 

then  1=  G. 

2.  IfV::9;-\-V  €F 
then  $  |=  F. 

Proof:  (1)  direct,  (2)  by  induction  on  the  size  of  formulas  F. 
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1.  Case:  G  =  DS.F: 


V  ::h  box  S.P  G  □S'.F 
£>l  ::-;-bPGP 
Let  fl>  6  |S],  arbitrary 

Si  ::  $;*>P  $;*>  P 

Q2  ::$;'hb£P 

$\=  F 

\=  □S'.  P'  by  Definition  5. 


by  assumption 
by  inversion 

by  Lemma  6.11(1) 

for  a  V  by  Theorem  7.27  on  P2 
by  i.h.(2)  on  S2 
discharging  assumption  that  $  arbitrary 


2.  Case:  F  =  T: 

V  ::  •  h  ()  G  T  by  assumption 

<T>  |=  T  by  Definition  5.7 

Case:  F  =  3x  :  A.  F' 


V::  $;•  h  (M,  V')  G  3a:  :  IF' 

P2  ::  $;  •  h  P'  G  P'[M/x] 

$  |=  P'[M/x] 

$  [=  3.x  :  A.  F' 


by  assumption 
by  inversion  on  V 
by  inversion  on  V 
by  i.h.(2)  on  £2,  D2 
by  Definition  5.7  on  T>\ 


Case:  F  =  Vx  :  A.  F': 


£>::$;•  b  Ax  :  A.  P  G  Vx  :  A.  F' 

V\  ::$,x:  A;  •  b  P  G  P' 

Let  M  be  arbitray,  s.t.  $  b  M  :  ^4 
Vx  id*;  •  G  <f>;  • 

P2  ::  4>;  •  \~  id*,  M/x;  •  G  x  :  j4;  • 

51  ::  $;  •  b  P[M/x]  G  P'[M/x] 

52  ::  $>P[M/x]  =^>  $  >  V 

53  ::  $;  •  h  V  G  P'[M/x]  for  a  V  by  Theorem  7.27  on  Qx 

<f>  |=  P'[M/x]  by  i.li.(2)  011  Q3 

$  |=  Vx  :  A.  F'  by  Definition  5.7  discharging  assumption  that  M  arbitrary 


by  assumption 
by  inversion  on  V 

by  Lemma  6.22 
trivial 

by  Lemma  6.20  (1)  on  V\ ,  P2 


Case:  P  —  UpL.F': 


V  ::  $;•  h  \pL.P  G  Il/.P' 

Vx  ::  b  P  G  P' 

Let  p,Z/  G  $  be  arbitray,  s.t.  $  b  p  «  p' 
Vx  ::  $;•  h  id*;  -  G  $;  • 

P2  ::  $;•  h  id*,p'/p;-  G  $,pV 

Si  ::$;-hP[p'/p]GPV/p] 


by  assumption 
by  inversion  on  D 

by  Lemma  6.22 
trivial 

by  Lemma  6.20  (1)  on  X>i,P2 
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Q2  ::  $  >  P[p'/p]  $  >  V 

Qs  ::  •  h  V  €  F'[p'/p]  for  a  V  by  Theorem  7.27  on  Qi 

$  [=  F'[p'/p\  by  i.h.(2)  on  Q3 

$  1=  II pL.  F'  by  Definition  5.7  discharging  assumption  that  p'L  arbitrary 


Case:  F  =  Fi  A  F2: 

V  ::  $]-\-(VuV2)eFlAF2 
Pi  ::  $;  •  h  Vi  €  F\ 

X>2  ::  •  h  V>  G  F2 

$\=F1 
$  |=  P2 
$  |=  Fi  A  P2 


by  assumption 
by  inversion  on  P 
by  inversion  on  P 
by  i.h.(2)  on  Pi,£i 
by  i.h.(2)  on  V2,£2 
by  Definition  5.7 
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